After completing this course, learners will understand core cloud computing concepts including scalability, elasticity, deployment models, service models, and the shared responsibility model. They will also learn about AWS services for compute, storage, networking, databases, analytics, security, and governance. The course covers how to use AWS tools and services to build reliable, secure, high-performing applications in the cloud.

1. Exam CLF-C01

2. After completing this course, you will know how to:
 Describe basic cloud computing concepts such as scalability,
elasticity, agility, high availability, fault tolerance, and disaster
recovery; explain CapEx and OpEx computing costs and the
consumption-based model; identify cloud deployment models
including public, private, and hybrid; and explain cloud service
models such as IaaS, PaaS, and SaaS, as well as the shared
responsibility model
 Describe AWS purchasing options, compare various AWS pricing
models, and describe the AWS Free Tier; describe cost planning
and management, including the Billing and Cost Management
console, AWS Organizations, AWS Cost Explorer, AWS Budgets,
the AWS Pricing Calculator, and the AWS Trusted Advisor; and
distinguish between the various AWS Support Plans, describe
and compare service-level agreement (SLAs) and composite
SLAs
Continued…

3. After completing this course, you will know how to:
 Describe core architectural components such as regions, Edge
locations, Availability Zones, Local Zones, and resource groups;
describe and use AWS tools such as AWS Management console,
AWS CLI, AWS CloudShell, and AWS Console Mobile
Application; and identify and use AWS monitoring tools such as
Amazon CloudWatch, CloudTrail, Trusted Advisor, the AWS
Health Dashboard
 Describe services available for compute such as Elastic Compute
Cloud (EC2) instances, Auto Scaling, Elastic Container Service
(ECS) and Fargate, and Elastic Kubernetes Service (EKS); explain
Serverless computing and AWS products such as Lambda;
describe Elastic Beanstalk and the AWS Marketplace; and
describe networking services available for AWS, including
Virtual Private Cloud (VPC), VPN Gateway, Route 53, Direct
Connect, and AWS PrivateLink
Continued…

4. After completing this course, you will know how to:
 Describe AWS storage, including the usage of Amazon Elastic Block
Store (EBS), Amazon Elastic File System (EFS), Simple Storage Service
(Amazon S3), AWS Backup, AWS Storage Gateway, and the AWS Snow
Family; explain AWS databases including the usage of Amazon RDS,
Amazon Aurora, Amazon DynamoDB, Amazon Redshift, and Amazon
ElastiCache; describe the AWS Database Migration Service
 Explain AWS messaging and queuing and AWS products such as
Amazon Simple Notification Service (Amazon SNS) and Amazon
Simple Queue Service (Amazon SQS); describe the internet of things
(IoT) and identify AWS IoT products such as AWS IoT Core, AWS IoT
Device Management, AWS IoT Device Defender, and AWS IoT 1-Click;
explain Big Data and Analytics and AWS products such as Amazon
Athena, Amazon EMR, Amazon Redshift, Amazon Kinesis, Amazon
Elasticsearch Service, Amazon Quicksight, and AWS Glue; describe
Artificial Intelligence (AI) and Machine Learning (ML) and identify AWS
AI and ML services such as Amazon Kendra, Amazon Comprehend,
Amazon Personalize, and Amazon SageMaker; and explain DevOps
solutions such as AWS CodeCommit, CodeArtifact, CodeBuild,
CodeDeploy, CodePipeline, Cloud9, AWS CodeStar, and X-Ray
Continued…

5. After completing this course, you will know how to:
 Describe cloud security fundamentals and AWS
security services; explain authentication and
authorization for the AWS cloud including MFA and
SSO; describe AWS detection and incident response
services; identify AWS infrastructure and data
protection services
 Explain AWS governance features, including Identity
and Access Management (IAM), AWS policies, AWS
CloudFormation, and the AWS Cloud Adoption
Framework; describe privacy and compliance
resources, such as the Amazon core tenets of
Security, Privacy, and Compliance, the purpose of
the Amazon Privacy Statement; and explain AWS
compliance features

6. In this chapter, you'll learn how to:
 Describe basic cloud computing concepts
 Explain CapEx and OpEx computing costs
and the economies of scale
 Identify cloud deployment models
 Explain cloud service models

7. In this module, you'll learn how to:
 Describe cloud computing
 Identify cloud computing services such as
compute, networking, storage, and analytics
 Explain cloud computing benefits such as
high availability, scalability, elasticity, agility,
fault tolerance, and disaster recovery

8.  Cloud computing is a service that delivers
shared computing resources on-demand via
the internet.
 Virtualization is software that makes
computer systems independent of physical
hardware.

9.  On-demand self-service
 Broad network access
 Resource pooling
 Rapid elasticity
 Measured service

10.  Cloud service providers (CSPs)
 Cloud services
– Compute
– Storage
– Networking
– Analytics

11.  Virtual machines
 Virtual servers (instances)
 Containers
 Serverless computing

12.  A software (virtual)
version of a computer
system.
 Components
– Host OS
– Hypervisor
– Guest OS
– VMs

13.  A virtual server that you can use to run
applications in the AWS cloud.
 AWS offers 28 types of instances that are
divided into the following categories:
– General purpose
– Compute-optimized
– Memory-optimized
– Accelerated-computing
– Storage-optimized

14.  Similar to VMs, but
they don’t require a
guest operating
system.
 Components
– Host OS
– Container engine
(Docker)
– Containers

15.  Functions are
composed of code
and configuration
parameters.
 Function packages
uploaded to a cloud
provider server.
 Components
– Host OS
– Serverless runtime
– Functions

16.  On-demand network resources
– Bandwidth
– Firewalls
– Virtual routers
– Network management software
 Low latency
– The time it takes for a request to go from the
user to the server and respond to the user.

17.  A reliable cloud network provides
centralized management, control, and
visibility.
 Benefits
– Cost savings
– Reliability
– Speed
– Versatility

18.  Cloud-based storage collects and saves
your data.
 Reading or writing data examples:
– Sending an email message
– Leaving a voicemail on a mobile or digital
phone
– Buying a concert ticket online
– Looking up the price of a product online
– Looking up statistics on your favorite sports
team
– Taking a picture

19.  Business intelligence
 Components
– Data sources
– Data models
– Processing application
– Computing power
– Analytical models
– Storage and sharing of data

21.  Lift and shift
– Removing services from an on-site location and
transferring them to the cloud

22.  Pay-as-you-go or consumption-based
pricing model
 Benefits
– No upfront capital expenditures for
infrastructure
– No need to purchase and manage a costly
unnecessary infrastructure that is only needed
for future growth
– Paying for services and resources only when
they are used or needed
– Ceasing to pay for services and resources that
are no longer used or needed

23.  Allocate services and resources based on
the demand or load at any given time
 Horizontal scaling – scaling out
 Vertical scaling – scaling up
 Scaling can be done manually or
automatically

24.  An elastic cloud computing system can
automatically compensate for workload
changes by adding or removing resources
as needed.

25.  The ability to rapidly and easily accomplish
some task
 Resource availability
 Business response

26.  A high availability cloud system is one that
is accessible 99.999% of the time, or as
close to that as possible.

27.  A fault-tolerant system takes high
availability one step further by guaranteeing
100% uptime or zero downtime.
 You can achieve fault tolerance in cloud
computing systems by keeping VM copies
on a separate host machine or within
different availability zones.

28.  The ability of a workload to perform its
intended function correctly and consistently
when it’s expected to during its total life
cycle.
 Some ways you can increase reliability:
– Use automation to recover from failures.
– Test recovery procedures.
– Scale horizonatally to increase aggregate
workload availability.
– Optimize capacity.

29.  Disaster recovery goes beyond high
availability or fault tolerance and consists of
a complete plan to recover critical business
systems.
 Time to recover
 Recovery point

30.  Most cloud service providers (CSPs)
automatically install software patches and
upgrades, manage hardware setup, and
perform other IT management tasks.
 CSPs also ensure you’re using the latest
tools to run your business.
 Additionally, the CSP maintains and
upgrades the physical infrastructure.

31.  Broad set of technologies
 Policies
 Controls
 Expert technical skills
 Heavy investment in physical security

33.  The AWS Well-Architected Framework helps
you understand the pros and cons of
decisions you make while building systems
on AWS.
 Built around 6 pillars:
– Operational Excellence
– Security
– Reliability
– Performance Efficiency
– Cost Optimization
– Sustainability

34. Which of the following compute services uses
a hypervisor? Choose the best response.
A. Virtual machines
B. Containers
C. Serverless computing
D. Functions
A

35. You have an on-site network that contains
several servers. You are planning to migrate all
the servers to the cloud. You need to
recommend a solution to ensure that some of
the servers are available if a single cloud data
center goes offline for an extended period. What
should you include in the recommendation?
Choose the best response.
A. Low latency
B. Fault tolerance
C. Elasticity
D. Scalability
B

36. Your company hosts an accounting application
named MyAccount that is used by all the
customers of the company. MyAccount has low
usage during the first three weeks of each month
and very high usage during the last week of each
month. Which benefit of cloud computing
supports cost management for this type of
usage pattern? Choose the best response.
A. High availability
B. Elasticity
C. Load balancing
D. Low latency
B

37. Match the Azure Cloud Services benefit to the
correct description.
Disaster recovery A cloud service that remains after
a failure occurs
Fault tolerance A cloud service that can be
recovered after a failure occurs
Low latency A cloud service that performs
quickly when demand increases
Dynamic scalability A cloud service that can be
quickly accessed from the
internet
Fault
tolerance
Disaster
recovery
Dynamic
scaling
Low
latency

38. Data storage includes data that is read or
written. True or false?
A. True
B. False
True

39. In this module, you'll learn about:
 The differences between capital
expenditures (CapEx) and operational
expenditures (OpEx)
 The consumption-based model
 The economies of scale

40.  Capital expenditure (CapEx)
– Typically large, upfront costs for purchasing
infrastructure
 Operational expenditures (OpEx)
– Ongoing costs

41.  Servers
 Storage
 Network
 Backup and archive
 Organization continuity and disaster
recovery costs
 Data center infrastructure
 Technical personnel

42.  Over-provisioning
Continued…

43.  Under-provisioning
Continued…

44.  Cloud computing

45.  Variable expenditures based on
usage/demand
 Software subscriptions and customizations

46.  Pay-as-you-go
 Benefits
– No need to pay upfront for infrastructure
– Only pay for services and resources when they
are needed
– No need to purchase and manage an
infrastructure that might be needed for future
capacity

47.  Because cloud providers operate multiple,
large-scale data centers, they can do things
at a lower cost per unit and more efficiently.
 Benefits
– Acquiring hardware
– Making deals with various governments,
agencies, and utilities to get tax savings
– Obtaining lower pricing on utilities

49. You have 1,000 EC2 instances in a data center.
You plan to migrate all the EC2 instances to an
AWS On-Demand pricing. You need to identify
which expenditure model to use for the planned
AWS solution. Which expenditure model should
you identify? Choose the best response.
A. Capital
B. Elastic
C. Scalable
D. Operational
D

50. Cloud computing provides flexibility between
capital expenditures (CapEx) and operational
expenditures (OpEx). True or false?
A. True
B. False
True

51. Which of the following occurs when the
capacity exceeds the demand resulting in
unused resources in an on-site data center?
Choose the best response.
A. Over-provisioning
B. Under-provisioning
C. Elasticity
D. Scalability
A

52. AWS On-Demand pricing is an example of
CapEx. True or false?
A. True
B. False
False

53. Which of the following is a benefit of the economies of
scale? Select all that apply.
A. Acquiring hardware such as servers, networking, and
storage at a lower cost
B. Acquiring hardware such as servers, networking, and
storage at a higher cost
C. Making deals with various governments, agencies,
and utilities to get tax savings
D. Higher pricing on utilities such as power, cooling, and
high-speed network connectivity between sites
E. Lower pricing on utilities such as power, cooling, and
high-speed network connectivity between sites
A, C, and E

54. In this module, you'll learn how to:
 Describe cloud deployment models
 Describe cloud service models

55.  Deployment models describe just who can
access a given cloud service.

56.  Open and available to
the public.
 It may be a paid
service or even offered
for free.
 Can be owned and
hosted by any sort of
public or private
organization.
 Cloud services offered
directly to consumers.

57.  Accessible only to a
single organization,
though it is shared
among multiple
divisions or business
units.
 It might be on-site
(on-premises) or off.
 It might be owned and
managed by the
organization or by a
third party.

58.  Public and private clouds that are bound
together.

59.  Several organizations
share the cloud service
because they have
mutual needs and
concerns.

60.  Distributed cloud
– Formed by distributed systems connected to a
single network.
 Multicloud
– One organization uses multiple public cloud
providers to run its workload, typically to avoid
provider lock-in.
 Polycloud
– One organization uses multiple public cloud
providers to leverage specific services from
each provider.

62.  Three main models
 Differ in cost, ownership, and management

63.  The customer rents IT hardware instead of
buying it
 Shared-responsibility model
 Common uses:
– Backup, storage, and recovery
– Testing and development
– Migrating workloads
– Website hosting and web apps
 Main benefit is it reduces or eliminates capital
expenses and can also reduce the ongoing
costs of managing and maintaining an on-site
data center

64.  Provides access to a computing platform or
software environment where the customer
can use to develop and host web-based
applications
 Common uses:
– Application development
– Analytics or business intelligence
 PaaS offers a variety of middleware, such as
development tools and application
frameworks, that can cut coding time for
new apps.

65.  Subscription-based access to applications
or databases and is sometimes referred to
as “on-demand software.”
 The SaaS provider handles maintenance and
support.
 Pricing is usually either a subscription fee or
pay-by-use.
 One of the main advantages of SaaS to
customers is that they always have the
latest version of the software during the
length of their subscription.

66.  Function-as-a-Service (FaaS)
 Storage-as-a-service (STaaS)
 Information-as-a-service (INFOaaS)
 Security-as-a-service (SECaaS)

67. On-site data
center
IaaS PaaS SaaS
CapEx costs Typically requires large,
upfront CapEx
payments.
No CapEx costs. No CapEx costs. No CapEx costs.
OpEx costs The organization pays
OpEx costs for running
the data center and for
staffing.
The customer pays
OpEx costs for services
consumed.
The customer pays
OpEx costs for services
consumed.
The customer pays
OpEx costs as a
subscription for the
software that is usually
billed monthly or
annually.
Customer
ownership
The organization owns
all infrastructure
equipment and
software.
The customer is
responsible for the
purchase, installation,
configuration, and
management of their
own operating
systems, middleware,
applications, and other
software.
The customer is
responsible for the
development of their
own applications.
The customer just uses
the application
software. They are not
responsible for any
maintenance or
management of that
software.
Cloud provider
ownership
No ownership The provider owns all
infrastructure and is
responsible for making
sure it is available for
the customer.
The provider owns all
infrastructure and is
responsible for
operating system
management, network,
and service
configuration.
The provider owns the
application software
and is responsible for
the provisioning,
management, and
maintenance of it.

70. Which of the following are true about a PaaS
solution that hosts web apps? Select all that
apply.
A. It provides full control of the operating
systems that host applications.
B. It provides the ability to scale the platform
automatically.
C. It limits the control and access of your
applications and data.
D. It provides professional development
services to add new features to custom
applications.
B and D

71. An organization that hosts its infrastructure in
a private cloud can close its data center. True
or false?
A. True
B. False
False

72. What are two characteristics of the public
cloud? Select two.
A. Dedicated hardware
B. Metered pricing
C. Unsecured connections
D. Limited storage
E. Self-service management
B and E

73. When planning to migrate a public website to
a cloud, you must… Choose the best
response.
A. Plan to pay monthly usage costs
B. Deploy a VPN
C. Plan to pay for transferring all the website
data to the cloud
D. Plan to reduce the number of connections
to the website
A

74. Order the deployment models from the
user/consumer’s management responsibilities
from highest to lowest.
1. SaaS
2. IaaS
3. On-site data center
4. PaaS
3, 2, 4, 1

75. A virtual machine is what type of cloud
deployment? Choose the best response.
A. On-site data center
B. IaaS
C. PaaS
D. SaaS
B

76. A managed SQL database is an example of
what type of cloud deployment? Choose the
best response.
A. On-site data center
B. IaaS
C. PaaS
D. SaaS
C

77. You should now know how to:
 Describe basic cloud computing concepts such
as scalability, elasticity, agility, high availability,
fault tolerance, and disaster recovery
 Explain CapEx and OpEx computing costs and
the consumption-based model
 Identify cloud deployment models including
public, private, and hybrid
 Explain cloud service models such as IaaS,
PaaS, and SaaS, as well as the shared
responsibility model

78. You will learn how to:
 Compare and contrast the various AWS
pricing models
 Describe cost planning and management
features for AWS, including Billing and Cost
Management, AWS Organizations, AWS
pricing calculator, Cost Explorer, AWS
Budgets, and AWS Trusted Advisor
 Explain AWS support plans and SLAs

79. You will learn how to:
 Describe AWS purchasing options
 Compare and contrast the various pricing
models for AWS
 Describe the AWS Free Tier

80.  AWS.Amazon.com
 AWS Partner Network

81.  Traditional consumption-based model as it’s
pay-as-you-go pricing
 Several models that allow customers to take
advantage of reduced pricing

82.  Pay-as-you-go pricing
 Charged monthly for the cost of the
services and resources that you consume
 With a pay-as-you-go model, your
organization can reduce the risks of over-
provisioning (underutilization) or under-
provisioning (missing capacity)

83.  A cost-saving option that allows you to
prepay for certain AWS resources like
Amazon EC2 and Amazon RDS
 Save up to 75 percent off the pay-as-you-
go cost
 Require a commitment for a specified time
period, usually one or three years
 Convertible RIs are a type of Reserved
Instance with attributes that can be
changed during the term

84.  A flexible pricing model that offers savings
of up to 72%
 You make an hourly commitment to using a
specific amount of compute power
(measured in price/hour) for a 1- or 3-year
term

85.  Volume-based discounts
 Pay less when you use more

86.  Unused capacity that is made available for a
lower price than the pay-as-you-go (On-
Demand) pricing
 Well suited for non-critical computing tasks
– Batch jobs
– Background processing
– Data analysis
 Not ideal for crucial workloads that can’t be
interrupted

87.  Spot price
 Spot instance pool
 Spot instance request
 Spot fleet
 Spot instance interruption
 EC2 instance rebalance recommendation

88.  A single-tenant physical server that is fully
dedicated to your use
 Generally used for organizations that have
strict regulatory and compliance
requirements

90.  Makes certain amounts and types of
resources for new AWS accounts available
free of charge for a one-year period

91.  Always free
– Products and services in the Free Tier offers do not
expire and are available to all AWS customers
 12 months free
– Products and services offers are only available to
new AWS customers
 Trials
– Short term offers for products and services that
start when you first use the item
 To see all offers, visit
https://aws.amazon.com/free

92.  Assigned when first signing up for the AWS
account.
 Don’t use for everyday tasks.
 Create the first IAM user and assign
Administrator permissions.
 Anyone who has root user credentials for
your AWS account has unrestricted access
to all the resources in your account,
including your billing information.

95. Which compute option reduces costs when you
commit to an hourly amount of compute usage
for a 1-year or 3-year term? Choose the best
response.
A. Spot Instances
B. Reserved Instances
C. Savings Plans
D. Dedicated Hosts
E. Tiered pricing
F. On-Demand Instances
C

96. Which of the following is a cost-saving option
that allows you to prepay for certain AWS
resources like Amazon EC2 and Amazon RDS?
Choose the best response.
A. Spot Instances
B. Reserved Instances
C. Savings Plans
D. Dedicated Hosts
E. Tiered pricing
F. On-Demand Instances
B

97. Which pricing model allows you to benefit
from the economies of scale? Choose the best
response.
A. Spot Instances
B. Reserved Instances
C. Savings Plans
D. Dedicated Hosts
E. Tiered pricing
F. On-Demand Instances
E

98. Which of the following described AWS On-
Demand (pay-as-you-go) pricing? Choose the
best response.
A. You replace large upfront capital expenses
with low fixed payments.
B. You replace low upfront capital expenses
with large variable payments.
C. You replace large upfront capital expenses
with low variable payments.
D. You replace low upfront capital expenses
with large fixed payments.
C

99. An organization is considering reserving EC2
compute capacity for three years to obtain a
large discount. What type of RI can they choose
that will allow them to modify the reservation if
needed? Choose the best response.
A. Standard RIs
B. Convertible RIs
C. Elastic RIs
D. Scheduled RIs
B

100. The AWS Free Tier includes offers that are
available to new AWS customers for a certain
period of time following their AWS sign-up
date. What is the duration of this period?
Choose the best response.
A. 3 months
B. 6 months
C. 9 months
D. 12 months
D

101. AWS offers some products for free all the
time. True or false?
A. True
B. False
True

102. Your organization needs to run a web
application for a single day (with no
interruptions). Which of the following should
you use when purchasing your EC2 instance?
Choose the best response.
A. On-Demand instances
B. Spot instances
C. Reserved instances
D. Convertible RIs
A

103. Your organization needs to run a web application
to process millions of recipes. The application is
setup to resume processing if it is interrupted.
Which of the following EC2 instance buying
options would be the most cost-effective?
Choose the best response.
A. On-Demand instances
B. Spot instances
C. Reserved instances
D. Savings Plans
E. Convertible RIs
A

104. Which of the following is NOT correct for EC2
On-Demand instances?
A. On-Demand instances use a pay-as-you-go
pricing model.
B. On-Demand instances require paying a
startup fee.
C. On-Demand instances do not require a
commitment or upfront payment.
D. On-Demand instances are charged per
second based on an hourly rate.
B

105. In this module, you'll learn how to:
 Describe the factors affecting cloud costs such
as services, resource types, and regions
 Describe the benefits of AWS Organizations
and consolidated billing
 Explain the benefits of AWS Cost Explorer
 Describe the benefits of AWS Budgets
 Explain the benefits of the AWS Pricing
Calculator
 Describe the benefits of AWS Trusted Advisor

106. When you create your cloud solution, you
should try to answer the following questions:
 What will the monthly and yearly cost be for
this solution?
 Is there a different configuration or other
options that would save money?
 Can you estimate how different
configurations, instances, or options would
impact your cost and performance without
deploying the configurations in a
production setting?

107.  Usage meters track the consumption for all
the resources and generate a usage record.
 The types of usage meters and associated
pricing vary per product and service.

108.  Resource types and usage meters
 Services
 Regions

110. You can use AWS Billing and Cost Management
to:
 Manage billing access to costs
 Handle billing administrative tasks, such as
paying your bill
 Download cost and usage data that was used
to generate your monthly invoice
 Set spending thresholds
 Proactively apply data analysis to your costs
 Detect opportunities for workload
modifications that can optimize your spending
Continued…

111. The Billing and Cost Management service is
closely integrated with AWS Identity and
Access Management (IAM).
 Managers
 Finance
 App or Dev teams

112.  Planning
 Visibility
 Accountability
 Optimization
 Iteration
 Cost management
lifecycle

115.  AWS tracks your service and resource usage
and provides estimated charges associated
with your account.
 Each report contains line items for each unique
combination of AWS products, usage type, and
operation that you use in your AWS account.
 You can customize Cost & Usage Reports to
collect the information either by the hour, day,
or month.
 Cost & Usage Report files consist of a .csv file
or a combination of .csv files and a manifest
file.

118.  Centrally manage all AWS accounts for an
organization and invite other accounts to
join.
 Consolidate billing for member accounts.
 Create a hierarchical grouping of your
accounts to meet your budgetary, security,
or compliance needs.
 Appy policies to centralize access and
control over AWS services and API actions
that each account can perform.
Continued…

119.  Apply policies to standardize tags for your
organization’s resources.
 Apply policies to control how AWS artificial
intelligence (AI) and machine learning
services can collect and store data.
 Apply backup policies to configure
automatic backups for your organization’s
resources
 Utilize Identity and Access Management
(IAM) to control users and roles in individual
accounts or a group of accounts.

120.  Consolidated billing allows you to receive a
single bill for all of the accounts in your
organization.
 Consolidated billing has the following
benefits:
 Free service
 One bill
 Easy tracking
 Combined usage
Continued…

124.  What are the estimated costs for the current month?
 How much has the organization incurred so far this
month?
 Will the organization stay under budget?
 Is the latest invoice going to be more than the
previous month?
 How did spending habits change from the previous
month?
 What are the cost trends?
 Are there any cost outliers?
 How should the invoiced charges be broken down
for the organization?

125.  Create estimates for your AWS solutions.
 The pricing calculator gives you an estimate
of the costs per service and the total cost.

126. Continued…

129.  AWS offers two APIs that you can use to
query prices:
– AWS Price List Bulk API: You can use this API to
query the prices of AWS services in bulk. The
API returns either a JSON or a CSV file.
– AWS Price List Query API: You can use this API
to query specific information about AWS
services, products, and pricing using an AWS
SDK or the AWS CLI. This API can retrieve
information about certain products or prices,
rather than retrieving prices in bulk.

130.  Cost Explorer is a free tool in the AWS Billing and
Cost Management console that enables you to
view and analyze your usage and resulting costs.
Continued…

133.  Tags are a way you can organize your AWS
resources and management hierarchy.
– Made up of a key and value pair
– Identify resources
– Use as a Cost Explorer filter

135.  AWS Budgets is a budgeting tool provided
in Billing and Cost Management that can
help you compare and track spending as
you analyze costs.

136.  Cost budgets
 Usage budgets
 Reservation budgets
 Savings Plans budgets

137.  You set a monthly cost budget with a fixed
amount of $200 and set an alert when costs
reach half that amount ($100).
 You set a monthly usage budget with a
fixed usage amount and configure forecast
alerts to ensure your usage doesn’t exceed
the designated amount. This type of budget
is useful for AWS Free Tier offerings. You
can make sure that you are staying under
the required Free Tier limit for a service.
Continued…

138.  You configure a daily usage budget to track
your Savings Plans or RIs. You can elect to
be notified if the utilization drops below a
certain percentage for a given day.
 You set a monthly cost budget with a
variable target amount. For example, you
can specify that each month your budget
should grow by 2 percent. Then, you can
configure your alerts for a percentage of
your budgeted amount and apply an action.

140. 1. Set up the budget report.
2. Configure delivery settings.
3. Confirm the budget report.

142.  Cut out waste
 Right-size, de-allocate, or delete Amazon
EBS–backed instances
 Choose low-cost regions or locations
 Use purchase discounts
 Migrate to PaaS or SaaS services

143.  AWS License Manager
 Bring-your-own-license (BYOL)

144.  A free cloud consultant that helps you
optimize your AWS infrastructure and
workloads.
Continued…

145.  Recommendation categories
– Cost optimization
– Performance
– Security
– Fault tolerance
– Service limits

146.  A green check indicates the number of
items without any detected problems.
 An orange triangle represents the number
of recommended investigations.
 A red circle represents the number of
recommended actions.

148. You can save estimates from the pricing
calculator even if you are not logged into
your AWS Management console. True or
false?
A. True
B. False
True

149. Which of the following will make
recommendations regarding possible
reservations that would save money? Choose
the best response.
A. Cost Explorer
B. Trusted Advisor
C. The pricing calculator
D. AWS Budgets
B

150. What type of budget would you use to plan
how much you want to use one or more
services? Choose the best response.
A. Cost budget
B. Usage budget
C. Reservation budgets
D. Savings Plan budgets
B

151. Which of the following EC2 instance
purchasing options support the bring-your-
own-license (BYOL) model for almost every
BYOL scenario? Choose the best response.
A. On-Demand instances
B. Reserved instances
C. Dedicated Hosts
D. Convertible instances
E. Dedicated instances
C

152. Which of the following are true about
consolidated billing? Select all that apply.
A. You receive one bill per AWS account.
B. You receive one bill for multiple AWS
accounts.
C. You are charged a fee per user.
D. You can combine usage and share volume
pricing discounts.
B and D

153. Which one of the following services can you
use to configure custom cost and usage limits
and set alerts for when thresholds are
exceeded? Choose the best response.
A. AWS Budgets
B. AWS Trusted Advisor
C. Cost Explorer
D. AWS Organizations
A

154. Which one of the following services can you
use to examine EC2 instance billing for the
past month? Choose the best response.
A. AWS Budgets
B. AWS Trusted Advisor
C. Cost Explorer
D. AWS Organizations
C

155. Which of the following services can an
organization use to examine its spending over
the past month? Choose the best response.
A. AWS Budgets
B. AWS Trusted Advisor
C. Cost Explorer
D. AWS Organizations
C

156. Where can you find historical billing
information for your organization? Choose
the best response.
A. AWS Budgets
B. AWS Billing and Cost Management
console
C. Cost Explorer
D. AWS Organizations
B

157. Which pillar checks are provided in the
Trusted Advisor with the Basic (Free) support
option? Select all that apply.
A. Cost optimization
B. Performance
C. Security
D. Fault tolerance
E. Service limits
F. Compliance
C and E

158. In this module, you'll learn how to:
 Describe AWS support models
 Distinguish between the various AWS
support plans
 Describe a service-level agreement (SLA)
 Describe composite SLAs
 Determine an appropriate SLA for an
application

159.  AWS provides various resources to help
customers find answers to their questions
about services or capabilities.

160.  AWS Basic support
 Billing and subscription management
support
 AWS Personal Health Dashboard which
gives you insights on issues related to your
AWS services
 AWS Trusted Advisor which gives you
personalized recommendations on how to
optimize your cost and performance

161. Basic Developer Business Enterprise
Cost Free Greater of $29/month Greater of $100/month Greater of $15,000/month
Best for Non-production
workloads
Non-critical workloads Production workloads Business-critical workloads
Reactive technical
support
None General guidance:
< 24 business hrs
System impaired:
< 12 business hrs
General guidance:
< 24 business hrs
System impaired:
< 12 business hrs
Production system impaired:
< 4 business hrs
Production system down:
< 1 business hr
General guidance:
< 24 business hrs
System impaired:
< 12 business hrs
Production system impaired:
< 4 business hrs
Production system down:
< 1 business hr
Business-critical system down:
< 15 minutes
Enhanced technical
support
None, only
provides 24x7
access to
customer service
Email support from
Cloud Support Associates
during business hours
Unlimited cases with a
single primary contact
24x7 email, phone, and chat
support from Cloud Support
Engineers
Unlimited cases and
unlimited contacts
24x7 email, phone, and chat
support from Cloud Support
Engineers
Unlimited cases and unlimited
contacts
Monitoring and optimization
support by a designated Technical
Account Manager (TAM)
Account assistance None None None Concierge Support Team
Architectural
Guidance
None General Related to your use-cases Well-Architected Reviews and
guidance based on your
applications
AWS Trusted
Advisor Best
Practice Checks
7 Core checks 7 Core checks Full set of checks Full set of checks

162.  You can create and manage support
requests in the AWS console at
https://console.aws.amazon.com/support/home#/

164.  AWS Knowledge Center
 Knowledge Center Videos
 Developer forums
 AWS documentation
 Training and Certification
 Twitter

166.  A service-level agreement (SLA) describes
the commitment between a service provider
and its customer for some type and amount
of service.
 You can read the US SLAs for individual
AWS products and services at
https://aws.amazon.com/legal/service-level-agreements/

167.  3 9’s to 5 9’s
SLA % Downtime per
week
Downtime per
month
Downtime per
year
99 1.68 hours 7.2 hours 3.65 days
99.9 (three nines) 10.1 minutes 43.2 minutes 8.76 hours
99.95 5 minutes 21.6 minutes 4.38 hours
99.99 (four nines) 1.01 minutes 4.32 minutes 52.56 minutes
99.999 (five
nines)
6 seconds 25.9 seconds 5.26 minutes

168.  Amazon provides service credits on
accounts as compensation for an under-
performing product or service.
 The following formula calculates the EC2
monthly uptime percentage in availability
zones for this SLA:
Monthly uptime % = (maximum available minutes – downtime) /
maximum available minutes X 100

169.  Composite SLAs are used to calculate
overall performance targets for solutions or
workloads involving numerous services,
each with different availability levels.
 Calculate by multiplying SLAs together
0.9995 x 0.9999 = 0.9994

171.  Create your own SLAs by selecting products
and services that set performance targets to
suit your specific application.
 This method is known as an Application
SLA.

172.  Recovery time objective (RTO)
– The RTO is the maximum acceptable time an
application is unavailable after a failure or incident.
 Recovery point objective (RPO)
– RPO is the maximum period of data loss that the
organization finds acceptable during a disaster.
 Mean time to recover (MTTR)
– MTTR is the average time it takes to restore a
resource or component after a failure.
 Mean time between failures (MTBF)
– MTBF is how long a resource or component can
reasonably expect to last between outages.

173.  Perform dependency mapping
 Pay attention to external dependencies

174.  Resiliency is the capacity of an application
or workload to recover from failures and
resume functioning. Resiliency isn’t about
avoiding failures; it’s about responding to
them.

175.  Availability represents the time that a
system or application is working and
functional.
 As complexity increases, more services will
depend on each other.
 As a result, you might overlook or miss
possible failure points.

177. Match the items in the first column to the
correct items in the second column.
Answer: 1-B, 2-D, 3-A, 4-C
1. RTO A. The average time it takes to restore a resource or
component after a failure.
2. RPO B. The maximum acceptable time an application is
unavailable after a failure or incident.
3. MTTR C. How long a resource or component can
reasonably expect to last between outages.
4. MTBF D. The maximum period of data loss that the
organization finds acceptable during a disaster.

178. What is guaranteed in an AWS service level
agreement (SLA)? Choose the best response.
A. Feature availability
B. Uptime and connectivity
C. Bandwidth
D. Performance
E. Resiliency
B

179. An organization is planning on hosting a set of
resources in the AWS account. They are aware
that most AWS services provide at least a
minimum SLA of 99.9%. Which of the following
techniques could they use to increase the uptime
for their resources? Choose the best response.
A. Add the resources to the same data center
B. Add the resources to multiple regions
C. Add the resources to the same account
D. Add the resources to the same Availability
Zone
B

180. A company is trying some services that are
being offered by AWS in the Free Tier. They
won’t ever exceed the Free Tier level, so they
don’t need to pay for these services. Do these
services allow provide credits for downtime?
A. Yes
B. No
B

181. A company has a set of AWS EC2 instances. One of the
instances was down for an extended period of time
due to issues with the underlying AWS infrastructure.
The downtime exceeded the standard Amazon defined
SLA for EC2. How will Amazon remedy the situation?
Choose the best response.
A. They will provide the instance free of cost to use
for a specific duration of time.
B. They will not provide any reimbursement.
C. They will provision another instance free of cost.
D. They will provide service credits to the customer.
D

182. Which support plans provide support via
email, chat, and phone? Select all that apply.
A. Basic
B. Developer
C. Business
D. Enterprise
C and D

183. Which support plans provide a full set of
checks in the Trusted Advisor? Select all that
apply.
A. Basic
B. Developer
C. Business
D. Enterprise
C and D

184. Which of the following options are included in
the Enterprise support plan that are not in other
plans? Select all that apply.
A. A TAM (Technical Account Manager)
B. Unlimited cases / unlimited contacts (IAM
supported)
C. A full set of Trusted Advisor checks.
D. A Concierge Support Team
E. 24x7 phone, email, and chat access to Cloud
Support Engineers
F. Well-Architected Reviews
A, D, and F

185. Which of the following options are included in
the Business support plan? Select all that apply.
A. A TAM (Technical Account Manager)
B. Unlimited cases / unlimited contacts (IAM
supported)
C. A full set of Trusted Advisor checks.
D. A Concierge Support Team
E. 24x7 phone, email, and chat access to Cloud
Support Engineers
F. Well-Architected Reviews
B, C, and E

186. Which one of the following is the Twitter
handle for tweets to get answers and support
from the official Amazon AWS Twitter support
channel? Choose the best response.
A. @AmazonSupport
B. @AWSExpert
C. @AWSSupport
D. @AWSTechSupport
E. @AWSHelp
C

187. You should now know how to:
 Describe AWS purchasing options, compare
various AWS pricing models, and describe the
AWS Free Tier
 Describe cost planning and management,
including the Billing and Cost Management
console, AWS Organizations. AWS Cost
Explorer, AWS Budgets, the AWS Pricing
Calculator, and the AWS Trusted Advisor
 Distinguish between the various AWS Support
Plans, describe and compare service-level
agreement (SLAs) and composite SLAs

188. In this chapter, you'll learn how to:
 Describe core architectural components such
as regions, Availability Zones, Local Zones, and
resource groups
 Describe and use AWS tools such as AWS
Management console, AWS CLI, AWS
CloudShell, and AWS Console Mobile
Application
 Describe and use AWS monitoring tools such
as Amazon CloudWatch, CloudTrail, Trusted
Advisor, and the AWS Health Dashboard

189. In this module, you'll learn how to:
 Describe regions and Edge locations
 Describe Availability Zones and Local Zones
 Describe resource groups
 Describe the benefits of the core AWS
architectural components

190.  An AWS region is a geographical area that
contains multiple data centers that are close
enough to be networked together as a low-
latency network.

191.  US government special regions
 China government regions

192.  An Amazon Edge location is a site that
Amazon CloudFront uses to store cached
copies of your content closer to your
customers for faster delivery.

194.  Availability Zones are physically separate
data centers within an AWS region.
 Availability Zones are physically separated
but are all within 60 miles (100 km) of each
other in a region.
 AWS Availability Zones are made up of one
or more data centers.
 Each data center is equipped with
independent power, cooling, and
networking components.

196.  Use Availability Zones to build high
availability in your application architecture.
 To do so, locate your compute, network,
storage, and data resources within an
Availability Zone, and then replicate that
setup in other zones.

197.  An AWS Local Zone is an extension of a
region that is geographically close to your
users.
 AWS Local Zones place AWS compute,
storage, database, and other select services
close to large populations, media and
entertainment industries, and IT centers.

199.  A resource group is a container that
organizes connected resources for an AWS
solution or workload that are located in the
same region.
 In AWS, there are two types of queries that
you can use to build a resource group.
– In both query types, you specify resources
using the format AWS::service::resource.
– Tag-based
– AWS CloudFormation stack-based

200.  Logical grouping
 Lifecycle
 Authorization

201.  AWS Management console
 AWS Resource Groups & Tag Editor
 AWS CLI
 AWS SDK programming languages

203.  To update a tag-based resource group in
the Resource Groups console, you can edit
the query and tags that are the base of your
group.
 To update an AWS CloudFormation stack-
based resource group, you can choose a
different stack.

205.  Tags consist of a key/value pair of text data
that you can apply to resource groups and
resources.
 You can add up to 50 tags to a resource.
 Tag keys and values are case-sensitive.
 You can also use an AWS Policy to define
policy conditions that automatically add or
enforce tags for your organization’s
resources.

206.  If you intend to use tags for specific
scenarios, you will need to rely on the
consistent use of tags and tag values.
 Tags can be required, conditionally required,
or optional.
 Required tags are mandatory under all
circumstances (for example, a resource that
stores sensitive data).

207.  Resources grouped by resource type
 Resources grouped by environment
 Resources grouped by department
 Combination method

208.  Tags for access control
 Grouping to organize billing data
 Grouping resources
 Monitoring resources
 Grouping for automation
 Tagging for lifecycle

211. To what level of physical granularity can you
deploy an app? Choose the best response.
A. Data center
B. Region
C. Server rack
D. Geographies
B

212. To use AWS data centers that are made
available with power, cooling, and networking
capabilities independent from other data
centers in a region, what should the region
support? Choose the best response.
A. Region pairs
B. Geography distributions
C. Service-level agreements
D. Availability Zones
D

213. Which of the following describes application
availability? Choose the best response.
A. The overall time that a system is running
and functional.
B. Application support for an Availability
Zone.
C. The service-level agreement of the
associated resource.
A

214. You can apply tags to any type of resource on
AWS. True or false?
A. True
B. False
B

215. If you apply tags at a resource group level,
they are propagated to resources within the
resource group. True or false?
A. True
B. False
B

216. Which of the following approaches might be a
good usage of tags? Choose the best response.
A. Using tags to store environment and
department association
B. Using tags in conjunction with AWS
Automation to schedule maintenance
windows
C. Using tags to associate a cost center with
resources for internal accounting purposes
D. All of the above are good uses for tags
D

217. Which of the following methods would be the most
efficient way to ensure your organization follows a naming
convention across its account? Choose the best response.
A. Send out an email with the details of your naming
conventions for resources in the account.
B. Create a policy with your naming requirements and
assign it to an account role.
C. Create a service-level agreement with your naming
requirements and assign it to the account.
D. Give all other users except for yourself read-only
access to the account. Have all requests to create
resources sent to you so you can review the names
being assigned to resources, and then create them.
B

218. In this module, you'll learn how to:
 Describe AWS tools such as AWS
Management console, AWS CloudShell,
AWS CLI, and AWS Console Mobile
Application
 Access and use the AWS CloudFormation

219.  AWS Management console — Provides a
graphical user interface (GUI) for interacting
with AWS
 AWS CLI — Provides command line and
automation-based interactions with AWS
 AWS CloudShell — Provides a browser-
based command-line interface
 AWS Console Mobile Application —
Provides monitoring and management of
resources from a mobile device

220.  The AWS Management console is a
graphical user interface (GUI) that runs
through any web browser.
 The console provides options for creating
and managing your AWS account and all
your AWS resources.
 You sign into the AWS Management
console with your web browser at
https://console.aws.amazon.com.

223.  A dashboard is a customizable set of user-
interface tiles displayed in an AWS console.
 Dashboards provide flexibility for managing
AWS according to your needs and workflow.

224.  An interactive, authenticated, browser-
based shell environment that you can use to
deploy, manage, and develop AWS
resources
 Bash: If you are in the Bash shell, the
command prompt will be $.
 PowerShell: If you are in PowerShell, the
command prompt will be PS>.
 Z shell: If you are in Z shell, the command
prompt will be %.

225.  CloudShell persists files in your $Home
directory.
 AWS CloudShell provides 1 GB of persistent
storage for each AWS region at no cost.
 Your $Home directory is private to you.

227.  AWS PowerShell is a configuration and task
automation management framework,
consisting of a command-line shell and
scripting language.
 Because PowerShell is built on the .NET
runtime, it can accept and return .NET
objects. As a result, PowerShell differs from
other shells that can only accept and return
text.

228.  Cross-platform enabled
 Output is object-based
 Commands are extensible
 Command aliases supported
 PowerShell handles console input and
display
 PowerShell has a pipeline

229.  Installing PowerShell
– https://docs.aws.amazon.com/powershell/latest/use
rguide/pstools-getting-set-up.html
 Learning PowerShell
– https://docs.aws.amazon.com/powershell/latest/use
rguide/pstools-using.html
 PowerShell cmdlet Reference
– https://docs.aws.amazon.com/powershell/latest/ref
erence/Index.html
 Developer blog
– https://aws.amazon.com/blogs/developer/category
/programing-language/dot-net/

230.  The AWS CLI (command-line interface) is a
set of commands that you can use to create
and manage AWS resources.
 Unlike the AWS Management console, the
AWS CLI has an emphasis on automation.

231.  Can be installed and run on Windows, Linux, and
macOS environments.
 Can be run in AWS CloudShell and Docker.
 Offers a flexible command-line interface for
managing AWS solutions or workloads.
 Supports long-running operations.
 Allows you to query command-line results with
query output returned in your format of choice.
 Can use one subscription for all commands, or vary
subscriptions per command.
 Can be used with multiple clouds.
 Provides settings that you can configure for data
collection, logging, and default argument values.

233.  AWS Console Mobile Application where you
can access, manage, and monitor all your
AWS accounts and resources.
 The AWS Console Mobile Application is
available for iOS or Android and can be
used on phones or tablets.

234.  The AWS CloudFormation is a tool that
allows you to work with all the essential
resources that are part of a solution or
workload as a group.
 You can use AWS CloudFormation to
deploy, update, and delete all resources that
form a solution or workload in a single
process.
 You can also use CloudFormation templates
to streamline deployments of resources or
solutions.

235.  Templates
– A CloudFormation template is where you define
your AWS resources and their properties.
 Stacks
– A stack is a set of related resources that are
deployed together.
 Change sets
– A change set is a summary of proposed
changes to running resources in a stack.

236.  Create your own template in Designer
– Format Version
– Description
– Metadata
– Parameters
– Rules
– Mappings
– Conditions
– Transform
– Resources (required)
– Outputs
 Load a quickstart template
 Use a sample template
 Save a template

239. A company has a set of database administrators that
are responsible for implementing and managing the
database resources in the organization’s AWS account.
The database administrators have a set of on-premise
Windows 10 workstations. Which of the following
tools can they use? Choose the best response.
A. AWS Management console and AWS CLI only
B. AWS Management console, AWS CLI, and AWS
PowerShell
C. AWS CLI and AWS PowerShell only
D. AWS Management console and AWS PowerShell
only
B

240. A company has a set of app developers that are
responsible for implementing and managing several
apps in the organization’s AWS account. The app
developers have a set of on-premise macOS
workstations. Which of the following tools can they
use? Choose the best response.
A. AWS Management console and AWS CLI only
B. AWS Management console, AWS CLI, and AWS
PowerShell
C. AWS CLI and AWS PowerShell only
D. AWS Management console and AWS PowerShell
only
B

241. What base call do you type in the AWS
CloudShell to access AWS CLI? Choose the
best response.
A. aws
B. cli
C. bash
D. pwsh
A

242. You cannot connect to and manage EC2
instances or web apps with the AWS mobile
app. True or false?
A. True
B. False
B

243. Which AWS service enables AWS architects to
manage infrastructure as code? Choose the
best response.
A. CloudWatch
B. CloudTrail
C. CloudFormation
D. CloudArchitect
C

244. What type of file is used to create a
CloudFormation template? Select all that
apply.
A. ASP
B. JSON
C. HTML
D. YAML
E. PHP
B and D

245. Which of the following can you use to view
how modifications will impact the running
resources before implementing them? Choose
the best response.
A. A template
B. A stack
C. A transform set
D. A change set
D

246. In this module, you'll learn how to:
 Describe Amazon CloudWatch
 Describe AWS CloudTrail
 Describe AWS Trusted Advisor monitoring
features
 Describe the AWS health dashboards

247.  Amazon CloudWatch is an AWS service that can
help you increase your applications and services’
performance and availability.
 The console is available at
https://console.aws.amazon.com/cloudwatch/.
 Metrics are automatically collected data that
measure some aspect of a system’s performance at
a particular point in time. A metric is a variable you
want to monitor.
 Logs are various system events that are organized
into records with different sets of properties for
each type. Logs show the activity in your AWS
account.

248.  Namespaces
– A container you create for CloudWatch metrics.
 Dimensions
– A name/value pair that you can use to identify a
metric.
 Statistics
– Metric data that AWS collects over a specified
period.
 Percentiles
– Indicates the relative position of a value in a dataset
 Alarms
– Proactively notifies you of changing or critical
conditions within collected data.

249.  Amazon CloudWatch Logs Insights
– An interactive, pay-as-you-go log analytics service that allows you to manage, explore, and
analyze your application and systems logs.
 CloudWatch ServiceLens
– A service that is integrated with AWS X-Ray to allow you to visualize and analyze the
availability, performance, and health of your applications. You can use CloudWatch
ServiceLens to monitor and visualize three areas of an application:
 Application infrastructure
 Application dependencies
 End user monitoring
 Contributor Insights
– A service that allows you to analyze time-series data to see which factors are influencing
your system performance. You can use Contributor Insights to quickly diagnose, isolate,
and remediate issues during an operational event.
 Container Insights
– A service that allows you to monitor the performance of your containerized applications
and microservices.
 Application Insights
– A service that you can use to monitor your applications that use Amazon EC2 instances as
well as other application resources. Application Insights identifies and sets up key logs,
metrics, and alarms across your application resources.

250.  Dashboards allow you to join different kinds
of data into a single pane in the Amazon
CloudWatch console.
 You can include both metrics and logs.
 Dashboard visualizations include charts,
graphs, and tables.

253.  CloudTrail creates logs that give you specific
information on what occurred in your AWS
account by recording API calls.
 When an API call occurs, the following
information is recorded:
– The identity of the API caller
– The time of the API call
– The source IP address of the API caller

255.  When you enable this optional feature, you
can use CloudTrail to automatically detect
unusual API activities in your AWS account.

257.  AWS Trusted Advisor is a service that
inspects your AWS environment and
provides real-time recommendations based
on AWS best practices.

258.  Now a combined dashboard from the
previous Service Health Dashboard and
Personal Health Dashboard
 Provides the general status of AWS services.
 Also provides a personalized view of the
health of AWS services and any alerts when
your resources might be impacted.

261. Your organization has a limited budget and is worried
about cost overruns. Which of the following options can
be used to notify the organization when the monthly AWS
bill exceeds $3000? Choose the best response.
A. Set up a CloudWatch billing alarm that triggers an
SNS notification to an email address.
B. Set up a CloudTrail billing alarm that triggers an SNS
notification to an email address.
C. Configure Trusted Advisor to send an alert when the
bill threshold has been reached.
D. Configure the Amazon Simple Email Service to send
an SNS billing notification to an email address.
A

262. Your company has deployed an application on
several EC2 instances. Recently, customers are
complaining that sometimes they can’t reach
your application. Which AWS service allows you
to monitor the performance of your EC2
instances to assist in troubleshooting? Choose
the best response.
A. AWS CloudTrail
B. AWS CloudWatch
C. AWS Health Dashboard
D. Service Health Dashboard
B

263. Which of the following are types of data
collected by Amazon CloudWatch? Select all
that apply.
A. Metrics
B. Logs
C. JSON files
D. Config files
A and B

264. Which of the following can you use to log API
calls? Choose the best response.
A. CloudWatch
B. CloudTrail
C. Application Insights
D. Trusted Advisor
B

265. What can you use to visualize different kinds
of data in a single pane in Amazon
CloudWatch? Choose the best response.
A. Power BI
B. Views
C. Dashboards
D. Event Hub
C

266. You have noticed several critical EC2 instances
have been terminated. Which of the following
AWS services would help you determine who
took this action? Choose the best response.
A. CloudWatch
B. CloudInspector
C. CloudTrail
D. Trusted Advisor
C

267. What health dashboard provides a global view of
the health condition for AWS services? Choose
the best response.
A. AWS Status Dashboard, Under Service health
B. AWS Health Dashboard, Under Service
health
C. Resource Health Dashboard
D. AWS Health Dashboard, Under Your account
health
B

268. The Status Health Dashboard can only be
accessed by people with current subscriptions
to the AWS platform. True or false?
A. True
B. False
B

269. Which of the following does the Personal Health
Dashboard provide? Select all that apply.
A. The current status of all AWS services.
B. A personalized view of the status of AWS services
that run your applications.
C. Detailed troubleshooting guidance to address
AWS events impacting your applications.
D. Detailed guidance on how to optimize costs for
running your application.
E. Proactive notifications about upcoming
maintenance that might effect your application.
A, B, C, and E

270. How long are events held in your Event log?
Choose the best response.
A. 30 days
B. 90 days
C. 120 days
D. Until you delete them manually.
B

271. You should now know how to:
 Describe core architectural components such
as regions, Edge locations, Availability Zones,
Local Zones, and resource groups
 Describe and use AWS tools such as AWS
Management console, AWS CLI, AWS
CloudShell, and AWS Console Mobile
Application
 Describe and use AWS monitoring tools such
as Amazon CloudWatch, CloudTrail, Trusted
Advisor, and the Aws Health Dashboard

272. In this chapter, you'll learn how to:
 Describe services available for compute such
as Elastic Compute Cloud (EC2) instances, Auto
Scaling, Elastic Container Service (ECS) and
Fargate, and Elastic Kubernetes Service (EKS)
 Describe Serverless computing and AWS
products such as Lambda
 Describe Elastic Beanstalk and the AWS
Marketplace
 Describe networking services available for
AWS, including Virtual Private Cloud (VPC),
VPN Gateway, Route 53, Direct Connect, and
AWS PrivateLink

273. In this module, you'll learn how to:
 Describe and create Elastic Compute Cloud
(EC2) instances
 Describe Auto Scaling
 Explain Elastic Container Service (ECS) and
Fargate, and Elastic Kubernetes Service
(EKS)

274. Service name Service function
Elastic Compute
Cloud (EC2)
instances
Creates simulated servers with Windows or Linux
operating systems hosted in AWS
Auto Scaling Creates and manages a set of autoscaling, load-balanced
EC2 instances
Batch Performs cloud-scale job scheduling and compute
management for high-performance and parallel
computing applications
Amazon Elastic
Container Service
(ECS)
Runs containerized apps on AWS without provisioning
EC2 instances or servers
Amazon Elastic
Kubernetes Service
(EKS)
Manages a cluster of EC2 instances that run
containerized services
AWS Fargate Serverless compute service for containers
AWS Lambda Processes events with a serverless compute service

275. EC2 instances are ideal when you need:
 Complete control over
the operating system
(OS)
 The ability to have
custom hosting
configurations
 The ability to run
custom software

276.  The virtual private cloud (VPC)
 EC2 instance name
 EC2 instance location
 EC2 instance type
EC2 instance types Description
General-purpose Designed to provide a roughly equivalent balance of CPU,
memory, and networking resources. Consider using a general-
purpose instance for applications that don’t require
optimization in any single resource area.
Compute-optimized Designed to have a high CPU-to-memory ratio and utilize high-
performance processors.
Memory-optimized Designed to have a high memory-to-CPU ratio.
Storage-optimized Designed to have high disk IO and throughput.
Accelerated computing Designed for heavy compute and use hardware accelerators or
coprocessors to perform functions more efficiently

277.  Instance performance level
 Amazon Machine Images (AMI)
 Root device storage
 EC2 instance limits
 EC2 instance
availability
 Instance
lifecycle

279.  EC2 Auto Scaling
 AWS Batch

280.  AWS offers a service that provides
automatic scaling for EC2 instances called
EC2 Auto Scaling.

281.  Easily create and manage an EC2 Auto Scaling group
 Increases application availability and resiliency
 Auto scales applications as resource demand changes
Scenario Manual EC2 instance
process
EC2 Auto Scaling
High availability and
redundancy
Manually distribute EC2
instances across
Availability Zones
Automatically distributes EC2
instances across Availability
Zones
Add additional instances Manually create,
configure, and ensure
compliance
Automatically creates EC2
instances from a central
configuration
Traffic balancing and
distribution
Manually create and
configure a load balancer
Automatically integrates with
a load balancer
EC2 instance scaling Manually monitor and
implement AWS
Automation
Automatically auto scales
based on specified conditions
in a scaling policy

282.  Dynamic scaling
– The capacity of your Auto Scaling group
changes in response to fluctuations in demand.
 Predictive scaling
– The capacity of your Auto Scaling group is
automatically scheduled based on forecasted
demand.

283.  Options
– Minimum capacity
– Desired capacity
– Maximum capacity

284.  CloudWatch
 CloudTrail

286.  AWS Batch enables running large-scale
parallel and high-performance computing
(HPC) batch jobs.
 Components
– Job
– Job definition
– Job queue
– Compute environment

287. 1. Create a compute environment.
2. Create a job queue.
3. Create a job definition.
4. Create a job.
5. Review and create.

290.  Containers are a light-weight solution that
solves some problems of using virtual
machines.
 Small and fast
 Start up quickly
 bundles a single
application and its
dependencies and
deploys it as a
containerized app as
a unit on a container host

291.  Amazon Elastic Container Service (Amazon
ECS) is a highly scalable, regional container
management service.
 You can use Amazon ECS to run, stop, and
manage containers on a cluster.
 Because Amazon ECS is a regional service,
you can run containers across multiple
Availability Zones within a region to make
them highly available.

292.  Clusters
 Containers
 Container images
 Container registry
 Container agent
 Task definitions
 Tasks
 Service
 Scheduler

293.  Where you break solutions into smaller,
independent pieces.
 Orchestration refers to the automation and
coordination of the configuration and
management of all software and
interactions within a cloud-based
environment.

294.  AWS Fargate is a managed infrastructure
that you can use with Amazon ECS to run
containers.
 No need to provision, configure, scale, or
manage clusters of Amazon EC2 instances
or servers to run your containers.

296.  Kubernetes is an open-source system for
automating deployment, management, and
scaling of containerized applications.
 Amazon’s EKS is useful for scenarios where
you need full container orchestration,
including automatic scaling, service
discovery across multiple containers, and
coordinated application upgrades.

297.  Kubernetes cluster
 Control plane
 Nodes
 Node pools
 Pods
 Deployments
 ReplicaSet
 Set types
 Namespaces

299.  No need to manage infrastructure
 Increased scalability
 Micro-billing

300.  AWS Lambda is a Functions-as-a-Service
(FaaS).
 In a FaaS model, you don’t need to worry
about the hosting infrastructure; you simply
write and deploy your functions, and AWS
Lambda automatically runs them.
 AWS Lambda’s functions are stateless.
Stateless functions behave as if they’re
restarted every time they respond to an
event.

301. 1. Upload your code (functions) to Lambda.
2. Set your code to trigger from an event
source, such as an AWS service, mobile
application, or HTTP endpoint.
3. Lambda only runs your code when
triggered.
4. You pay only for the compute time that
you use.

304.  Step Functions executes workflows
 Step Functions has the following
components:
 A workflow is the business application or
processes you want to complete.
 A state machine is a graphical depiction of a
workflow.
 A state is a step in a workflow.
 A task is a state in a workflow that denotes a
single unit of work that another AWS service
performs.

305.  Standard workflows have an exactly-once
execution for the workflow and can run for
up to one year.
 Express workflows have an at-least-once
execution for the workflow and can run for
up to five minutes.

306.  Function orchestration
 Branching
Continued…

307.  Error handling
 Human interaction integration
Continued…

308.  Parallel processing
 Dynamic parallelism

310.  Amazon EventBridge is a serverless
computing infrastructure for applications
that need to respond to events.
 EventBridge uses a push mechanism instead
of a polling mechanism for handling events.
Continued…

312. Your department is planning an AWS EC2
instance, and you need to select the appropriate
type. Your workload is a high traffic application
server that needs to have a high CPU-to-
memory ratio. Which type would you choose?
Choose the best response.
A. General-purpose
B. Compute-optimized
C. Memory-optimized
D. Accelerated computing
E. Storage-optimized
B

313. Your department spends several weeks configuring an
EC2 instance for an application. After the workload
increases, you decided you need another identical
instance. How can you achieve this quickly? Choose
the best response.
A. Export an AWS Configuration file from the
original instance and import it into the instance.
B. Install Aurora on the original instance and then
use it to provision a duplicate instance.
C. Generate an EBS snapshot of the original instance
and use that to create the new instance.
D. Create an AMI from the original instance and
launch a new instance using that AMI.
D

314. Which of the following AWS services provide
elastic web-scale cloud computing that allows
you to deploy operating system instances?
Choose the best response.
A. Amazon EBS
B. Amazon EC2
C. AWS Lambda
D. AWS Batch
B

315. Order the steps to run an AWS Batch job.
1. Create a compute environment.
2. Create a job queue.
3. Create a job.
4. Review and create.
Correct Order is: 3, 1, 2, 4, 5

316. Amazon ECS only supports multi-container
groups on Windows. True or false?
A. True
B. False
B

317. Your organization has a video-sharing app that
runs on millions of mobile devices. Demand is
unpredictable and often spikes when there is a
significant local or national event. Which AWS
compute resource is the best match for this
workload? Select all that apply.
A. EC2 instances
B. AWS Batch
C. Step Functions
D. AWS Lambda
C and D

318. Your organization has an existing web app running
locally on a server located onsite. The web app
requires additional capacity. You are planning to move
to AWS instead of buying upgraded on-premises
hardware. Which compute option would provide the
quickest route to getting your web app running in
AWS? Choose the best response.
A. EC2 instances
B. Amazon ECS
C. AWS Batch
D. Step Functions
E. AWS Lambda
A

319. In AWS, the compute options provide
different levels of control over configuring the
environment in which your app runs. Order
the compute options from “most control” to
“least control.”
1. Containers
2. EC2 instances
3. Serverless computing
Correct Order is: 2, 1, 3

320. Lambda functions are normally stateless. True
or false?
A. True
B. False
A

321. What are the two serverless compute options
in AWS? Select two.
A. EC2 Instances
B. Step Functions
C. AWS Batch
D. AWS Lambda
E. Amazon Elastic Container Service
B and D

322. In this module, you'll learn how to:
 Describe the AWS Marketplace and its
usage scenarios
 Describe AWS Elastic Beanstalk
 Describe Amazon Lightsail
 Describe AWS Amplify

323.  Amazon Machine Images (AMIs)
 AWS CloudFormation templates
 Software as a service (SaaS)
 Custom solutions

327.  AWS provides several solutions for building
and deploying apps and websites:
– AWS Elastic Beanstalk
– Amazon Lightsail
– AWS Amplify

328.  AWS Elastic Beanstalk is a platform-as-a-
service (PaaS) service that helps you
provision Amazon EC2-based environments.
 AWS Elastic Beanstalk deploys the resources
necessary to perform the following tasks for
your environment:
– Automatic scaling
– Adjust capacity
– Load balancing
– Application health monitoring

330.  A virtual private server (VPS) that provides
you everything needed to build an
application or website.
 Amazon Lightsail benefits include:
– Managed environments
– Secure networking
– Powerful API
– High availability storage
– Easily scale your solution

332.  AWS Amplify is a collection of tools and
services that can be used to help front-end
web and mobile developers build scalable
full-stack applications that are powered by
AWS.
 You can get started with Amplify by visiting
https://sandbox.amplifyapp.com/getting-started

333.  Configurable backends
 Seamlessly connect to frontends
 Deploy in a few clicks
 Easily manage content

334. Features
 Authentication
 APIs (GraphQL, REST)
 Storage
 Interactions
 PubSub
 DataStores
 Functions
 Analytics
 AI/ML Predictions
 Push Notifications
Amplify provides
 Fully managed hosting
 CI/CD
 Branch deployments
 Atomic deployments
 Custom domains

336. How do you access the AWS Marketplace?
Choose the best response.
A. In the AWS Marketplace console, click All
services.
B. In the AWS Management console, click
Services, and then click AWS Marketplace
Subscriptions.
C. In the AWS Marketplace console, click
Launch a Subscription.
D. In a web browser, go to
marketplace.aws.com.
B

337. All solutions and resources in the AWS
Marketplace are free. True or false?
A. True
B. False
False

338. AWS Elastic Beanstalk is a PaaS service you
can use to automate deployments. True or
false?
A. True
B. False
True

339. When deploying web apps using Lightsail,
you can only use the Linux OS. True or false?
A. True
B. False
False

340. Which AWS app service would be best if your
solution requires auto-scaling? Choose the
best response.
A. AWS Elastic Beanstalk
B. AWS Amplify
C. AWS Lightsail
D. AWS Lambda
A

341. You are deploying a static site from a GIT
repository. Which of the following AWS
services would be the quickest solution for
deployment? Choose the best response.
A. AWS Elastic Beanstalk
B. AWS Amplify
C. AWS Lightsail
D. AWS Lambda
B

342. Which app service would be the easiest way
to launch and manage a virtual private server
(VPS) in AWS? Choose the best response.
A. AWS Elastic Beanstalk
B. AWS Amplify
C. AWS Lightsail
D. AWS Lambda
C

343. In this module, you'll learn how to:
 Explain and create a virtual network
 Describe Virtual Private Cloud (VPCs), VPN
Gateway, AWS Transit Gateway, Amazon
Route 53, AWS Direct Connect, and AWS
PrivateLink

344. Service name Service function
Virtual Private Cloud
(VPCs)
Creates private virtual networks by enabling many AWS resources,
such as EC2 instances, to securely communicate with each other, the
internet, and on-premises networks.
Elastic Load Balancing Evenly distributes inbound and outbound network connections to
service endpoints or applications.
AWS Transit Gateway Creates connections between VPCs and on-premises networks
through a central hub.
Amazon Route 53 Hosts DNS zones and records for your domain names in AWS.
Amazon CloudFront Delivers high-bandwidth content to your customers around the world.
AWS Shield Protects and defends your AWS-hosted applications from distributed
denial of service (DDOS) attacks.
AWS PrivateLink Provides private connectivity between VPCs, services, and on-premises
applications.
AWS Direct Connect Provides private high-bandwidth dedicated secure connections to
AWS cloud services from your on-premises data center.
AWS Global Accelerator Distributes network traffic across AWS regions worldwide for high
performance and availability.
AWS Firewall Manager Provides high-security, high-availability firewall capabilities with
unlimited scalability.

345.  Loosely coupled architectures
 N-tier architectures

346.  Benefits
– They can be updated independently.
– They allow you to add to your solution.
– They allow you to scale your services
proportionally to the amount of data traffic.

347.  An n-tier architecture means the solution is
divided into two or more logical layers and
physical tiers.
 Each layer has a specific responsibility.
 Tiers are physically separated and generally
run on separate machines.
 Several layers can be hosted on the same tier;
however, physically separating them improves
resiliency and scalability.
 One drawback is that additional layers increase
latency due to the additional network
communication.

349.  The AWS Virtual Private Cloud (VPC) service
is the fundamental component for building
a private network in AWS.
 Key concepts
– Account
– Regions
– Classless Inter-Domain Routing (CIDR) block
– Subnets
– VPC endpoints
– Route table
– Intenet gateway

351. Communication between AWS resources
 Through a virtual network
 Through a virtual service endpoint
 Through peering
Continued…

352. Communication with on-premises resources
 Site-to-site (S2S) VPN
 AWS Client VPN
 AWS VPN CloudHub
 AWS Direct Connect

354.  You can use a transit gateway to connect
your VPCs and on-premises networks.
 A transit gateway operates as a regional
virtual router for traffic moving in the form
of packets between VPCs and on-premises
networks.
 A transit gateway elastically scales based on
the volume of network traffic.
 Routing through a transit gateway operates
at the Network layer (OSI layer 3).

355.  AWS PrivateLink establishes private
connectivity between virtual private clouds
(VPC) and services hosted on AWS or on-
premises without exposing data to the
internet.
 A VPC endpoint enables privately connecting a
VPC to supported AWS services and VPC
endpoint services that are powered by AWS
PrivateLink without requiring an internet
gateway, AWS Direct Connect connection, VPN
connection, or NAT device.

357.  There are ways to increase the availability
and resiliency of your app solution,
including using load balancers, gateways,
and content delivery networks (CDNs).

358.  You can configure a load balancer to
balance several kinds of traffic:
– Incoming traffic from the internet to EC2
instances
– Internal traffic between EC2 instances in a VPC
– Traffic in a hybrid network between on-
premises computers and EC2 instances
– Traffic being forwarded from an external source
to a specific EC2 instance

360.  Amazon’s Elastic Load Balancing is the single entry point
for users.
 An Elastic Load Balancer distributes inbound traffic that
arrives at the load balancer’s front end to the back-end
pool of EC2 instances (targets).
 The instances can be in a single or multiple Availability
Zones.
 Using multiple Availability Zones increases the fault
tolerance of your applications.
 The traffic flows according to configured load balancing
rules (listeners) and health checks.
 The backend pool instances can be single EC2 instances or
EC2 instances in an Auto Scaling group.
Continued…

361.  Load balancer
– Provides a single access point for the incoming traffic.
 Listeners
– Checks for connection requests from users, using the
protocol and port that you configure. You can add one
or more listeners to your load balancer.
 Target group
– Routes requests registered targets, such as S3 buckets,
using the specified protocol and port number.
 Health checks
– Monitors the health status of all targets registered to a
target group that is specified in a listener rule for your
load balancer.

362.  A Network Load Balancer is a Transport
layer (OSI layer 4) load balancer.
 When the load balancer receives a
connection request, it selects a target from
the default rule’s target group. It then
attempts to open a TCP connection to the
specified target on the port specified in the
listener configuration.
Continued…

363. For TCP and UDP traffic, the load balancer
selects a target based on the following
information:
 The protocol
 Source IP address
 Source port
 Destination IP address
 Destination port
Continued…

364. Benefits of NLB over classic load balancer:
 Handling volatile workloads
 Scaling to millions of requests per second
 Utilization of static IP addresses for the load
balancer
 Routing requests to multiple applications on a
single EC2 instance
 Registering targets by IP address, this includes
targets outside the VPC for the load balancer
 Using containerized applications
 Monitoring the health of each service
independently

365.  You can use Gateway Load Balancers to deploy, manage,
and scale virtual appliances.
 A Gateway Load Balancer operates at the network layer
(3rd layer) of the OSI model.
 The listener rule defines the target group.
 For the Gateway Load Balancer, you register the virtual
appliances with a target group.
 The Gateway Load Balancer then listens for all IP packets
across all ports and forwards traffic to that target group.
 The Gateway Load Balancer preserves flows to a target
virtual appliance using either 5-tuple (TCP/UDP flows) or
3-tuple (non-TCP/UDP flows).
 The Gateway Load Balancer and its registered virtual
appliance exchange application traffic using the GENEVE
protocol on port 6081.

366.  All incoming traffic is from HTTP (port 80)
or HTTPS (port 443)
 An Application layer (OSI layer 7) load
balancer explicitly designed for web
applications.

367. Benefits of using an
Application Load Balancer
over a Classic Load Balancer:
 Configurable path
conditions
 Configurable host
conditions
 Configurable header
conditions
 Multiple routing requests
 Redirecting requests
 Returning a custom HTTP
response
 Registering load balancer
targets by IP address
 Registering Lambda
functions as targets
 Authenticate users of your
applications through their
corporate or social
identities before routing
requests
 Using containerized
applications
 Monitoring each service’s
health independently

369.  Latency is how long it takes for a request to
go from the user to the server and send a
response back to the user.
 Typically, latency is measured in
milliseconds.
 Reducing the amount of latency improves
the user’s experience.
 There are two good ways to reduce latency
for your users:
 Implement a content delivery network (CDN)
 Describe Route 53

370.  A CDN is a distributed network of servers
that can efficiently deliver web content to
users in their local regions.
 Benefits
 Better handling of instantaneous high loads by
using large scaling.
 Better performance and improved user
experience for users, especially when users
request loading multiple types of content.
 Reduction of traffic to the origin server because
user requests for content are served directly
from edge locations.

372.  Amazon CloudFront is a web service that
can rapidly distribute your web content
(static and dynamic) to your users.
 Web content might include .html, .css, .js,
image files, and video files.
 You can use CloudFront to deliver your
content through a global network of data
centers called edge locations.
 Edge locations are typically close to the end
user and have a CloudFront cache of the
web content.

373.  DNS (domain name) management
 DNS-level traffic routing
 Failover services (health checks)

374.  Route 53 lets you register and manage
domain names their associated DNS
settings for your website or web
application.

376.  Route 53 automatically sends requests over
the internet to an endpoint, such as a web
server, to verify that it’s available, reachable,
and functional.
 Optionally, you can configure Amazon
CloudWatch alarms for your health checks
so that you receive notifications when
resources become unavailable.

380. With loosely coupled architectures,
components can be updated independently,
but you cannot add to your solution. True or
false?
A. True
B. False
False

381. What allows seamlessly connecting two or
more VPCs in AWS? Choose the best
response.
A. Load balancing
B. Virtual machine scale sets
C. Virtual service endpoints
D. Peering
D

382. Private load balancers are used to balance
traffic inside your VPC, where only public IP
addresses are used. True or false?
A. True
B. False
False

383. Which of the following allows you to establish
a private connection between your on-
premises network and AWS? Select all that
apply.
A. Direct Connect
B. Peering
C. Site-to-site (S2S) VPN
D. AWS PrivateLink
A and D

384. Which of the following are true about using
Application Load Balancer? Select all that apply.
A. All your incoming traffic needs to be from
HTTP (port 80) requests.
B. It operates at level 7 of the OSI model.
C. It operates at level 4 of the OSI model.
D. It allows using gateway managed cookies for
sessions.
E. It does not support WAF.
A, B, and D

385. What is network latency? Choose the best
response.
A. The amount of data that the connection can
carry.
B. The amount of time it takes for data to travel
over the network.
C. The distance that the data must travel to
reach its destination.
D. The amount of time it takes to cache data in
a CDN.
B

386. How does Route 53 reduce latency? Choose the
best response.
A. It chooses the endpoint that is the closest to
the user’s DNS server.
B. It chooses only the fastest networks
between endpoints.
C. It caches content on an edge server in a
POP.
D. It chooses the endpoint that’s closest to the
Application Load Balancer.
A

387. Your organization has two app projects that
require completely different network
configurations. Which AWS service will allow
you to isolate resources and network
configurations? Choose the best response.
A. Edge locations
B. Amazon CloudFront
C. Route 53
D. Virtual Private Cloud
D

388. Which of the following is an AWS global
content delivery network (CDN) service?
Choose the best response.
A. Route 53
B. AWS Direct Connect
C. Amazon CloudFront
D. AWS VPN
C

389. Which AWS service provides DNS in the AWS
cloud? Choose the best response.
A. Route 53
B. AWS Direct Connect
C. Amazon CloudFront
D. AWS VPN
A

390. You should now know how to:
 Describe services available for compute such
as Elastic Compute Cloud (EC2) instances, Auto
Scaling, Elastic Container Service (ECS) and
Fargate, and Elastic Kubernetes Service (EKS)
 Describe Serverless computing and AWS
products such as Lambda
 Describe Elastic Beanstalk and the AWS
Marketplace
 Describe networking services available for
AWS, including Virtual Private Cloud (VPC),
VPN Gateway, Route 53, Direct Connect, and
AWS PrivateLink

391. In this chapter, you'll learn how to:
 Describe AWS storage, including the usage of
Amazon Elastic Block Store (EBS), Amazon
Elastic File System (EFS), Simple Storage
Service (Amazon S3), AWS Backup, AWS
Storage Gateway, and the AWS Snow Family
 Describe AWS databases including the usage
of Amazon RDS, Amazon Aurora, Amazon
DynamoDB, Amazon Redshift, and Amazon
ElastiCache
 Describe the AWS Database Migration Service

392. In this module, you'll learn how to:
 Describe AWS storage services including
instance stores, Amazon Elastic Block Stores
(Amazon EBS), Amazon Elastic File System
(Amazon EFS), Simple Storage Service
(Amazon S3), AWS Backup, and AWS
Storage Gateway
 Create a storage bucket

393. Storage type Storage for…
Instance stores Temporary block-level storage for
instances
Amazon Elastic Block
Store (EBS)
Block-level storage volumes for AWS
instances
Amazon Elastic File
System (EFS)
Files that you can access and manage like a
file server
Amazon Simple Storage
Service (S3)
Massive objects, such as video and image
files, graphics, or schematic drawings
AWS Backup Data protection that you can centrally
manage and automate across AWS services
AWS Storage Gateway Provides on-premises access to virtually
unlimited cloud storage

394.  Cost savings
 Automated backup and recovery
 Replication across the globe
 Support for data analytics
 Security
 Support for multiple data types
 Data storage in EBS volumes
 Storage classes

395.  Structured data
– Think of spreadsheets or database tables when thinking about structured
data.
– This type of data is highly organized and is also referred to as relational
data.
– The data schema defines the table of data, the fields in the table, and the
precise relationship between them.
– Keys indicate how data in one row of a table relates to data in another row
of another table.
 Unstructured data
– Data that doesn’t have any specified structure. Because there isn’t any
structure, there are no restrictions on the kinds of data it can store.
 Semi-structured data
– Data that doesn’t fit neatly into a scheme such as tables, columns, and
rows but does have some way to organize the data.
– Semi-structured data often use keys or tags to organize and provide a
hierarchy for the data.
– Semi-structured data is also called non-relational data or NoSQL data.

396. S3 Standard Optimized for storing frequently accessed data. Stores data in
a minimum of three Availability Zones.
S3 Intelligent-Tiering Provides cost savings by automatically moving objects
between four access tiers when access patterns change.
S3 Standard-IA Optimized for storing data that is accessed less frequently but
requires rapid access when needed. Use this class if you are
storing primary or a copy of data that can’t be re-created.
S3 One Zone-IA Optimized for storing data from a single Availability Zone that
is accessed less frequently but requires rapid access when
needed. Use this class if you are able to recreate the data if the
Availability Zone fails and for object replicas when setting S3
Cross-Region Replication (CRR).
S3 Glacier Used for rarely accessed or archived data that is stored for
extended time periods and has flexible latency requirements. It
might take a few minutes to a few hours to be able to retrieve
storage objects.
S3 Glacier Deep Archive Provides long-term retention and digital preservation for
archived data that may be accessed once or twice a year. It
might take up to 12 hours to retrieve storage objects.

397.  Cost-effectiveness
 Reliability
 Storage types
 Agility
Needs On-premises storage AWS data storage
Compliance and
security
Requires dedicated servers for
privacy and security
Client-side encryption and
encryption at rest
Store structured and
unstructured data
Requires additional IT resources
and dedicated servers
AWS Data Lakes analyze and
manage all types of data
Replication and high
availability
Requires more resources,
licensing, and servers
Built-in replication and
redundancy features available
Application sharing
and access to shared
resources
Requires additional admin
resources for file sharing
File sharing options available
without an additional license
Relational data
storage
Requires a database server with
a database admin role
Offers database-as-a-service
options
Tiered storage Requires technology and labor
skills to manage tiered storage
Automated tiered storage of
data

398.  Instance stores provide temporary block-
level storage for EC2 instances.
 An instance store is a storage volume on a
disk that is physically attached to the host
computer.
 You can only specify instance store volumes
on EC2 instances when they are launched.
 You can’t move one instance’s store volume
to a different instance.

400.  Amazon Elastic Block Store (Amazon EBS) is
a solution that provides block-level storage
volumes for use with EC2 instances.
 These block-level storage volumes are like
physical disks in an on-premises server,
except they are virtualized.
 The available types of volumes include:
 Throughput Optimized HDD (st1)
 Cold HDD (sc1)
 General Purpose SSDs (gp3 and gp2)
 Provisioned IOPS SSD (io2 and io1)

401. Feature Throughput
Optimized
HDD (st1)
Cold HDD
(sc1)
General
Purpose SSD
(gp3 and gp2)
Provisioned
IOPS SSD
(io2 and io1)
Disk type HDD HDD SSD SSD
Usage
scenarios
Frequently
accessed,
throughput-
intensive
workloads
Infrequent
access
Web servers,
lightly used
enterprise
applications,
and dev/test
Production
and
performance-
sensitive
workloads
Max volume
size
16 TiB 16 TiB 16 TiB 64 TiB
Max IOPS 500 250 16,000 256,000
Max
throughput
per volume
500 MiB/s 250 MiB/s 1,000 MiB/s 4,000 MiB/s

402.  High availability and durability
– An EBS volume automatically replicates within its
Availability Zone to prevent data loss due to any
single hardware component’s failure. Data
persistence
 Data encryption
– All EBS volumes can be encrypted using the
Amazon EBS encryption feature. The encryption
takes place on the server hosting the EC2
instance. This provides encryption of data-in-
transit from the EC2 instance to Amazon EBS
storage. applications.
Continued…

403.  Availability Zone integration
– EBS volumes support Availability Zones, which
protects your applications from data center
failures.
 Flexibility
– You can make configuration changes to EBS
volumes while in production. You can modify
volume size, volume type, and IOPS capacity
without interrupting service.
Continued…

404.  Snapshots
– A snapshot is an incremental backup. Each
snapshot only saves the blocks on the device
that have changed after the most recent
snapshot.

405.  Amazon EBS encryption uses customer
master keys (CMK) and AWS Key
Management Service (AWS KMS) when
creating encrypted volumes and snapshots.
 When you create an encrypted EBS volume
and attach it to an EC2 instance, the following
types of data are encrypted:
 Data-at-rest inside the volume
 Data-in-transit between the volume and the
instance
 Any snapshots created from the volume
 Any volumes created from those snapshots

406.  Create and attach an Amazon EBS volume
when you launch an EC2 instance by
specifying the block device mapping.
 Create an empty Amazon EBS volume and
attach it to a running instance.
 Create an Amazon EBS volume from a
previously created snapshot and attach it to
a running instance.

409.  Provides a fully managed file sharing
solution for storing files in the cloud
 NFS protocol-based shared file system
storage for Linux workloads
 A regional service that provides high
availability and durability by storing data
within and across multiple Availability Zones
 Amazon EC2 instances can access your file
system across regions, Availability Zones,
and VPCs

410.  Fully managed
 Elastic
 Shared access
 Durability
 Scripting and tooling
 Familiar programmability

411.  “Lift and shift” applications
 Replace or supplement on-premises file
servers
 Simplify cloud development
 Containers and serverless persistent file
storage

413.  Provides fully managed third-party file
systems that include native compatibility
and feature sets.
 These file systems are beneficial for
workloads that require Windows-based
storage, high-performance computing, and
low latency.
 Amazon FSx supports two types of file
systems:
– Lustre
– Windows Server File Server

414.  Lustre is an open-source parallel distributed
file system. It is designed for high-
availability, high-performance, and
scalability.
 Amazon FSx for Lustre is a fully managed
Lustre file system.
 Integration with S3 will enable you to:
1. Automatically copy your data from S3 to
FSx for Lustre.
2. Run your workload.
3. Write the results back to S3 for storage.

415.  Provides a fully managed native Microsoft
Windows file system
 Includes full support for the following
Windows features:
– Windows NTFS
– The SMB protocol
– Active Directory (AD)
– Distributed File System (DFS)

417.  Amazon Simple Storage Service (Amazon S3) is
optimized for storing unlimited amounts of
structured or unstructured data as objects that
can be retrieved from anywhere on the
internet.
 When you store data in Amazon S3, you work
with resources that are called objects and
buckets.
 An object is any type of file and its associated
metadata that describes it.
 A bucket is simply a container for your objects.

418.  Create as many buckets as
you want. Buckets are the
basic containers Amazon
S3 uses to store data.
 Store unlimited amounts
of data in a bucket.
 Upload unlimited objects
into a bucket.
 Upload objects up to 5 TB
in size.
 Store and retrieve each
object using a unique
developer-assigned key.
 Download data. You or
others can download
objects from your buckets
at any time.
 Assign an IAM policy to
grant or deny access to
others who want to
upload or download data
into your buckets.
 Use REST and SOAP
interfaces to work with
any internet-development
toolkit.

419.  Buckets
– A bucket is a basic container that Amazon S3 uses to store objects.
– Every object is contained in a bucket.
– Buckets are used to:
 Organize the Amazon S3 namespace
 Identify the billing account responsible for data transfer and storage charges
 Carry out access control operations by assigning IAM policies to the buckets
 Serve as the unit of collection for usage reporting
 Objects
– Objects are the primary things stored in Amazon S3.
– Store objects up to a maximum size of five terabytes.
– An object is uniquely marked within a bucket with a key and a version
ID.
– Objects are composed of object data, metadata, and a key.
 Keys
– A key is an object’s unique identifier within a bucket.
– Every object in a bucket has a single key.
– The combination of a bucket name, key, and version ID uniquely
identifies each object in Amazon S3.

420.  Amazon enables server-side encryption on
all S3 storage accounts.
 All AWS replication options support
encryption.
 Amazon S3 encrypts stored data regardless
of performance tier, access tier, or
deployment model.
 Amazon S3 server-side encryption uses
256-bit Advanced Encryption Standard
(AES-256) to encrypt your data.
Continued…

421.  By default, Amazon encrypts data in
Amazon S3 with Amazon S3-Managed Keys
(SSE-S3).

422. Key management
parameter
Amazon S3-
Managed Keys
(SSE-S3)
Customer Master
Keys (CMKs)
Customer-Provided
Keys (SSE-C)
Encryption/decrypti
on operations
Amazon S3 Amazon S3 Amazon S3
Amazon Storage
services supported
Amazon S3 Amazon EBS,
Amazon S3
Amazon S3
Key storage AWS Key
Management
Service (SSE-KMS)
AWS Key
Management
Service (SSE-KMS)
Customer’s own key
store
Key rotation
responsibility
Amazon S3 Customer Customer
Key control Amazon S3 Customer Customer

423.  Versioning
– Allows you to keep multiple variants of an object in the same
bucket.
– Buckets can have three states:
 Unversioned (the default)—versioning has not been enabled for the bucket.
 Versioning-enabled—versioning is enabled for the bucket.
 Versioning-suspended—versioning was enabled previously for the bucket but is
no longer enabled.
 S3 Object Lock
– Provides protection against objects being changed or deleted.
– Objects are stored using a write-once-read-many (WORM) model.
– You can use Object Lock to prevent changes or deletion indefinitely
or a specified amount of time.
 Storage lifecycle
– An S3 Lifecycle configuration contains rules that define actions that
Amazon S3 applies to a group of objects.
– There are two types of actions:
 Transition actions—Specify when objects are moved to another Amazon S3
storage class.
 Expiration actions—Specify when objects reach the end of their lifetime.

424.  Replication
– S3 replication enables automatic, asynchronous copying of objects
across Amazon S3 buckets.
– To enable object replication, you add a replication configuration to
your source bucket.
– The minimum configuration must provide the destination bucket or
buckets and an IAM role that has permissions to replicate objects.
– There are two types of S3 replication:
 Cross-Region Replication (CRR)—Used to copy objects across Amazon S3
buckets in different AWS regions.
 Same-Region Replication (SRR)—Used to copy objects across Amazon S3
buckets in the same AWS region.
 Object tags
– You can categorize your storage objects by adding tags to them.
– Each tag is a key-value pair.
– You can add up to 10 tags per object, and they can be added to
new or existing objects.

426.  AWS Lake Formation is a managed service
that makes it easy to set up, secure, and
manage data lakes.
 AWS Lake Formation helps you to discover
your data sources.
 It then helps you to cleanse, transform, and
catalog the data.
 You can use AWS Lake Formation to ingest
data stored and move it to an Amazon S3
data lake.

427.  Data lake
 Data Access
 Blueprint
 Workflow
 Data Catalog
 Underlying Data

429.  AWS Backup
 AWS Storage Gateway
 AWS Snow Family

430.  AWS Backup is a fully managed backup
service.
 You can use AWS Backup to automate and
centralize backups of your data across your
AWS cloud services.
 AWS Backup can also back up your on-
premises data.

431.  AWS Storage Gateway is a hybrid cloud
storage service that connects an on-premises
software appliance, or gateway, with cloud-
based storage.
 You can use AWS Storage Gateway to provide
a secure and seamless integration between
your AWS cloud storage and your on-premises
IT environment.
 Three types of storage:
– File gateway
– Volume gateway
– Tape gateway

432. AWS
Snowcone
A portable, rugged, and secure edge device that is
used for computing and data transfer.
AWS Snowball A data migration and edge computing device. There
are two options for Snowball devices:
 Compute Optimized devices that provide up to 52
vCPUs and 42 terabytes of usable block or object
storage. Also includes an optional GPU for
advanced use cases such as machine learning.
 Storage Optimized devices that provide up to 40
vCPUs of compute capacity along with 80 terabytes
of usable block or Amazon S3 object storage.
AWS
Snowmobile
A service that moves up to 100 PB of data in a large,
sturdy shipping container and is ideal for multi-
petabyte or exabyte-scale data migrations and data
center moves or shutdowns.

434. Your organization is setting up a solution in AWS.
The solution needs to provide a storage solution
that provides home directories for employees.
Which AWS storage solution would you choose?
Choose the best response.
A. Amazon S3
B. Lake Formation
C. Amazon EFS
D. Amazon EBS
E. Instance stores
C

435. What is the primary kind of data that objects
store? Choose the best response.
A. Structured
B. Unstructured
C. Semi-structured
B

436. Which solution allows you to handle massive
amounts of unstructured data for big data
analytics? Choose the best response.
A. Instance stores
B. AWS Lake Formation
C. AWS EFS
D. AWS EBS
E. Amazon S3
B

437. Which hybrid storage service enables an
organization’s on-premises application to
seamlessly use AWS cloud storage? Choose
the best response.
A. AWS Storage Gateway
B. AWS Snowball
C. AWS Backup
D. Amazon S3
E. Amazon Direct Connect
A

438. Which type of AWS storage can be
considered as a virtual hard disk in the cloud?
Choose the best response.
A. Instance store
B. Amazon EFS file system
C. Amazon EBS volume
D. Amazon S3 archive
E. Amazon file gateway
C

439. Your organization wants to store copies of
backups on Amazon S3. You need to have
infrequent but rapid access to the backups.
Which storage class fits these requirements?
Choose the best response.
A. S3 Glacier Deep Archive
B. S3 Standard
C. S3 Glacier
D. S3 One Zone-IA
D

440. You are creating a web app on several AWS
EC2 instances. Which storage service can you
use if you need to connect multiple EC2
instances concurrently using file-level
protocols? Choose the best response.
A. Instance stores
B. Amazon EFS
C. Amazon EBS
D. File gateway
B

441. Which of the following AWS storage services
allow you to connect to storage from an on-
premises application using standard file
protocols? Choose the best response.
A. Instance stores
B. Amazon EBS
C. Amazon EFS
D. Amazon S3
E. Amazon Glacier
C

442. What type of AWS storage would you use for
media files that you want to access via the
internet? Choose the best response.
A. Amazon EBS
B. Amazon S3
C. Amazon EFS
D. Amazon FSx
B

443. You are working on a media storage
application. You want to be able to allow
read/write access to your S3 buckets. Which
of the following would be best suited for this
requirement? Choose the best response.
A. IAM user
B. IAM role
C. IAM group
D. IAM policy
D

444. In this module, you'll learn how to:
 Describe AWS database services
 Describe the Amazon Relational Database
Service (Amazon RDS), Amazon Aurora
 Describe the Amazon DynamoDB
 Describe Amazon Redshift and Amazon
ElastiCache

445.  AWS offers a wide variety of fully managed
relational, NoSQL, and in-memory
databases.

446.  Relational databases
– Data is usually organized into multiple tables, each
holding a specific type of data.
– Create relationships between tables by linking one or
more fields in one table to fields in another table.
– Relational databases use structured query language
(SQL) to store and query data.
Continued…
ID Product name Size Price
1 House blend coffee 12 oz $4.50
2 House blend black tea 12 oz $3.00
3 House blend espresso 8 oz $4.00

447.  NoSQL databases
– NoSQL databases (“non SQL”
or “non-relational”) store data
differently than relational
tables.
– Consists of a table where you
can store and query data, but
uses structures other than rows
and columns to organize the
data.
– NoSQL databases come in
several types based on their
data model
• Key-value
• Document
• Graph
• Wide-column
Continued…
Key Value
1 Name: Joe Fraiser
Address: 123 Main Street
Favorite drink: Black coffee
2 Name: Jill Smith
Favorite drink: Cappuccino
Birthday: July 8, 1975
3 Name: Maria Garcia
Address: 123 North Avenue
Favorite dessert: Chocolate chip
cookie

448.  OLAP databases
– Use multidimensional data models.
– These data models allow for ad hoc queries and
complex analytics, as well as rapid execution
times.
– Integrate features of relational databases,
navigational databases, and hierarchical
databases.
– Typical applications of OLAP include sales
reporting, marketing, business process
management, budgeting, and financial
reporting.
Continued…

449.  In-memory databases
– An in-memory database primarily relies on the
main computer memory for data storage.
– In-memory databases are faster than disk
databases because disk access is slower than
memory access.
– Accessing data in memory eliminates the seek
time when querying the data.

450. Service Used to…
Amazon Relational Database
Service (Amazon RDS)
Build traditional applications that use relational databases. Amazon
RDS offers six database engines.
Amazon Aurora Build applications that use relational databases at 1/10th the cost of
commercial databases. Aurora is compatible with MySQL and
PostgreSQL relational databases.
Amazon DynamoDB Build low latency, highly available applications at any scale, or migrate
NoSQL workloads to the cloud.
Amazon Redshift Build data warehousing services that you can use for big data analytics.
Amazon ElastiCache Build fast, scalable applications with open-source-compatible
in-memory data stores.
AWS Database Migration
Service
Migrate relational databases, non-relational databases, and other types
of data stores.
Amazon DocumentDB Set up, operate, and scale databases for Mongo workloads.
Amazon Neptune Build applications that work with highly connected data sets, such as
fraud detection, recommendation engines, and knowledge graphs.
Amazon Quantum Ledger
Database (Amazon QLDB)
Provide a ledger database for transparent, immutable, and
cryptographically verifiable transactions owned by a central trusted
authority.
Amazon Timestream Analyze and store sensor data for IoT applications, telemetry for
application monitoring, and metrics for DevOps scenarios.

451. Feature Amazon RDS
Amazon
Aurora
Amazon
DynamoDB
Amazon
Redshift
Amazon
ElastiCache
Database
type
Relational Relational
Non-
relational
database
(NoSQL)
Online
analytical
processing
(OLAP)
In-memory
database
Data model Relational Relational Key-Value Relational Key-Value
Serverless
compute
No
Available
(Aurora
Serverless)
Yes No No
Best uses
Business
applications,
SaaS apps like
CRM, ERP, and
eCommerce
SaaS apps
like CRM,
ERP, and
eCommerce
Mobile and
web apps,
gaming, IoT
Large-scale
data
warehouses,
data analytics,
and data
migrations
Caching,
chat, BI and
analytics,
session store,
gaming
leaderboards

452.  Amazon Relational Database Service (Amazon
RDS) is a platform as a service (PaaS) fully
managed relational database service.
 Amazon RDS is available on five database
engines plus Amazon Aurora. Supported
database engines include:
– PostgreSQL
– MySQL
– MariaDB
– Oracle Database
– Microsoft SQL Server

453.  Create highly available and high-performance
data storage applications and solutions in
AWS.
 Enable processing both relational data and
non-relational structures in applications.
 Utilize ACID (atomicity, consistency, isolation,
durability) transactions, joins, or other complex
transactions.
 Utilize advanced query processing features,
such as intelligent query processing.
 Reduce administration of underlying
environment, such as the OS.

454.  DB instance
– A solitary database environment in the AWS Cloud.
– Can contain multiple databases.
 DB engine
– The underlying software component that Amazon RDS uses to create, read, update
and delete (CRUD) data from a database.
– Each DB engine has its own supported features.
– Each DB instance runs a DB engine.
 DB instance class
– Determines the computation and memory capacity of an Amazon RDS DB instance.
– Amazon RDS supports three types of instance classes:
 Standard
 Memory Optimized
 Burstable Performance
 DB instance storage
– Amazon RDS DB instances use Amazon EBS volumes for storing databases and logs.
– Amazon RDS offers three storage types:
 General Purpose SSD (also known as gp2)
 Provisioned IOPS SSD (also known as io1)
 Magnetic (also known as standard)
Continued…

455.  AWS regions, Availability Zones, and Local Zones
– RDS allows you to place resources in multiple locations.
 Multi-AZ (high availability)
– In a Multi-AZ deployment, RDS automatically creates a synchronous standby replica
in a different Availability Zone.
– Use RDS Multi-AZ deployments to provide high availability and failover support for
DB instances.
 Read replicas
– To serve read traffic, you can use read replicas.
– RDS uses a DB engine’s built-in replication to create a particular DB instance from a
source DB instance called a read replica.
– The source DB instance becomes the primary DB instance, and updates made to it
are asynchronously copied to the read replica.
– The read replica functions as a DB instance that only permits read-only connections.
– You can reduce the load on your primary DB instance by routing read queries from
your applications to the read replica.
– Read replicas are supported by all of the RDS DB engines.
– You can use read replicas to:
 Scale-out past the compute or I/O capacity restrictions of a single DB instance.
 Serve read traffic while the source (primary) DB instance is unavailable.
 Run reporting queries against a read replica rather than your source (primary)
DB instance for business reporting or data warehousing.
 Implement disaster recovery.
Continued…

456.  Failover support for Amazon RDS
– Multi-AZ deployments for MySQL, MariaDB, PostgreSQL, and Oracle DB
instances use Amazon’s failover technology.
– SQL Server DB instances use Always-On Availability Groups (AGs) or SQL
Server Database Mirroring (DBM).
 Security
– AWS uses the shared security responsibility model. This means you must
manage network access to your Amazon RDS resources, such as your DB
instances and databases.
– The method you use to control access depends on what tasks the user
needs to perform with Amazon RDS.
Continued…

457.  Monitoring an Amazon RDS DB instance
– Monitoring is an essential part of sustaining the
availability, reliability, and performance of
Amazon RDS and your AWS workloads.
– AWS offers several tools for monitoring your
Amazon RDS resources and responding to
potential incidents:
• Amazon CloudWatch alarms
• AWS CloudTrail logs
• Enhanced monitoring
• Amazon RDS Performance Insights
• Database logs
• Amazon RDS recommendations
• Amazon RDS event notifications
• AWS Trusted Advisor

460.  Amazon Aurora is a fully managed enterprise-class
relational database that is also part of the Amazon
RDS-managed database service. Aurora is
compatible with MySQL and PostgreSQL relational
DB engines.
 Aurora is:
– Up to five times faster than a standard MySQL
database
– Up to three times faster than a standard
PostgreSQL database
 Amazon Aurora automatically:
– Replicates six copies of your data across three
Availability Zones.
– Continuously backs up your data to Amazon S3.
Continued…

461.  An Amazon Aurora DB cluster consists of DB
instances and a cluster volume that handles their
data. An Aurora cluster volume is a virtual
database storage volume that covers multiple
Availability Zones, and each AZ has a copy of the
DB cluster data. There are two types of DB
instances that make up an Aurora DB cluster:
– Primary DB instance-Supports read and write
operations and handles all the cluster volume’s data
modifications. Each Aurora DB cluster has one
primary DB instance.
– Aurora replica-An Aurora replica connects to the
same storage volume as the primary DB instance, but
it only supports read operations.

463.  Amazon DynamoDB is useful for modern
app development because it is a fully
managed NoSQL database, which can
handle semi-structured data.
 Amazon DynamoDB is a PaaS database
service, which means you don’t need to
spend time managing infrastructure.

464.  Mobile, gaming, web, and IoT applications
often need to handle massive amounts of
data, quickly read and write data globally,
and respond in near-real-time.
 These types of applications will benefit from
Amazon DynamoDB’s guarantee for:
– High availability (99.99%)
– High throughput
– Extremely low latency (single-digit millisecond)
– Tunable consistency
– Enterprise-level security
– Fully-managed database services
Continued…

465.  Serverless
– DynamoDB automatically spreads your table’s data and
traffic over enough servers to handle your throughput
and storage requirements while sustaining consistent
and fast performance.
– All your data is stored on solid-state disks (SSDs).
– The data is also automatically replicated across multiple
Availability Zones in an AWS region to provide high
availability and data durability.
 Automatic scaling
– As your database’s size grows or shrinks, DynamoDB
automatically scales to adjust for the capacity changes.
– You can scale your tables’ throughput capacity up or
down without downtime or performance degradation.

466.  Tables
 Items
 Attributes
 Primary Key
 Secondary Indexes
 DynamoDB Streams
 DynamoDB Accelerator (DAX)
 DynamoDB replication

469.  AWS doesn’t limit your options for
databases.
 Amazon makes it easy to run a variety of
databases to use with your apps.

470.  A fast, fully managed, petabyte-scale data
warehouse service
 Use Amazon Redshift for your applications that
need to handle I/O of complex data at massive
velocities in near real-time
 An Amazon Redshift data warehouse is a collection
of computing resources called nodes, which are
organized into a group called a cluster.
 Each cluster runs an Amazon Redshift engine and
contains one or more databases.
 The type and number of compute nodes or clusters
that you need depends on the following:
– The size of your data
– The number of queries you will execute
– The query execution performance that you need

471.  Amazon ElastiCache makes it easy to set up,
manage, and scale distributed in-memory
cache environments in the AWS Cloud.
 It provides a high-performance, resizable,
and cost-effective in-memory cache while
removing the complexity of deploying and
managing a distributed cache environment.
 ElastiCache is ideal for applications that
require sub-millisecond latency, such as a
real-time IoT application.

472. Feature Memcached Redis (cluster mode
disabled)
Redis (cluster mode
enabled)
Engine versions 1.5.x 2.8.x and later 3.2.x and later
Data types Simple 2.8.x - Complex 3.2.x and later -
Complex
Data partitioning Yes No Yes
Modifiable cluster Yes Yes Limited (3.2.10 and
later)
Online resharding No No 3.2.10 and later
Encryption No 3.2.6, 4.0.10 and
later
3.2.6, 4.0.10 and later
High availability
(replication)
No Yes Yes
Automatic failover No Optional Required
Sorted sets No Yes Yes
Backup and restore No Yes Yes

473.  AWS Database Migration Service is a web service you
can use to migrate data from your on-premises
database, an Amazon RDS DB instance, or a database on
an Amazon EC2 instance to another AWS database
service.
 At a overview level, when using AWS DMS, you do the
following:
1. Create a replication server.
2. Create source and target endpoints that have connection
information about your data stores.
3. Create one or more replication tasks to migrate data
between the source and target data stores.
 A task can consist of three major phases:
1. A complete load of existing data
2. The application of cached changes
3. Ongoing replication

474.  Replication instance
– A replication instance is a managed Amazon EC2
instance that hosts one or more replication tasks. It’s
important to choose the right size instance for the
migration. AWS DMS provides several replication
instances so you can choose the optimal configuration
for your situation.
 Source and target endpoints
– The endpoint is the location where DMS accesses your
source or target data stores. The connection
information varies depending on your data store.
 Replication task
– A replication task moves a set of data from the source
endpoint to the target endpoint. Creating a replication
task is the final step you need to perform before you
start a migration.

476. Your organization needs to import a large
amount of structured data into a database
service. What is the best suited AWS database
service to achieve this? Choose the best
response.
A. Amazon ElastiCache
B. Amazon DynamoDB
C. Amazon RDS
D. Amazon DocumentDB
C

477. You are creating a solution that requires a
database that can handle semi-structured
data. Which AWS solution would you
suggest? Choose the best response.
A. Amazon Redshift
B. Amazon DynamoDB
C. Amazon RDS for PostgresSQL
D. Amazon RDS for MySQL
E. AWS Database Migration Services
B

478. What AWS service provides five times the
performance of a standard MySQL database?
Choose the best response.
A. Amazon Redshift
B. Amazon DynamoDB
C. Amazon Aurora
D. Amazon RDS for MySQL
E. Amazon ElastiCache
C

479. You work as an on-premises MySQL DBA. The work of
database configuration, backups, and patching can be
time-consuming and repetitive. Your organization has
decided to migrate to AWS cloud. Which of the
following can help save time on the regular database
tasks so you can focus on providing faster
performance and high availability to your users?
Choose the best response.
A. Amazon Redshift
B. Amazon DynamoDB
C. Amazon Aurora
D. Amazon RDS
E. AWS Database Migration Services
D

480. What is the AWS database service that allows
you to upload data structured in key-value
format? Choose the best response.
A. Amazon Redshift
B. Amazon DynamoDB
C. Amazon Aurora
D. Amazon RDS
E. Amazon ElastiCache
B

481. You are developing an app that generates
semi-structured data. You are planning to use
an Amazon RDS. Would this suit the
requirement?
A. Yes
B. No
B

482. You are developing an app that a high level of
query performance on large amounts of data
sets. You are planning to use an Amazon
Redshift. Would this suit the requirement?
A. Yes
B. No
A

483. Which of the following Amazon RDS features
facilitates offloading of database read activity?
Choose the best response.
A. Database snapshots
B. Automated backups
C. Multi-AZ deployments
D. Read replicas
E. In-memory caching
D

484. You need to migrate an on-premises MySQL
database to AWS RDS for MySQL. What type
of migration is this? Choose the best
response.
A. Homogeneous migration
B. Heterogeneous migration
C. On-premises migration
D. Hybrid migration
A

485. Which of the following is a feature of Amazon
RDS that performs automatic failover when
the primary database fails to respond?
Choose the best response.
A. RDS snapshots
B. RDS Write replicas
C. RDS Single-AZ
D. RDS Multi-AZ
D

486. You should now know how to:
 Describe AWS storage, including the usage of
Amazon Elastic Block Store (EBS), Amazon
Elastic File System (EFS), Simple Storage
Service (Amazon S3), AWS Backup, AWS
Storage Gateway, and the AWS Snow Family
 Describe AWS databases including the usage
of Amazon RDS, Amazon Aurora, Amazon
DynamoDB, Amazon Redshift, and Amazon
ElastiCache
 Describe the AWS Database Migration Service

487. In this chapter, you'll learn how to:
 Describe AWS messaging and queuing and AWS products such
as Amazon Simple Notification Service (Amazon SNS) and
Amazon Simple Queue Service (Amazon SQS)
 Describe the internet of things (IoT) and AWS IoT products such
as AWS IoT Core, AWS IoT Device Management, AWS IoT Device
Defender, and AWS IoT 1-Click
 Explain Big Data and Analytics and AWS products such as
Amazon Athena, Amazon EMR, Amazon Redshift, Amazon
Kinesis, Amazon Elasticsearch Service, Amazon Quicksight, and
AWS Glue
 Describe Artificial Intelligence (AI) and Machine Learning (ML)
and identify AWS AI and ML services such as Amazon Kendra,
Amazon Comprehend, Amazon Personalize, and Amazon
SageMaker
 Describe DevOps solutions such as AWS CodeCommit,
CodeArtifact, CodeBuild, CodeDeploy, CodePipeline, Cloud9,
AWS CodeStar, and X-Ray

488. In this module, you'll learn how to:
 Describe AWS messaging with Amazon
Simple Notification Service (Amazon SNS)
 Describe AWS queueing with Amazon
Simple Queue Service (Amazon SQS)

489.  Amazon Simple Notification Service (Amazon
SNS) is a fully managed messaging service.
 It provides message delivery from publishers
(also known as producers) to subscribers (also
known as consumers).
 Publishers communicate asynchronously with
subscribers by sending messages to a topic.
 An SNS topic is a logical access point and
communication channel.
 Subscribers can enroll in the SNS topic and
receive published notifications using
supported endpoints. Continued…

490.  Amazon SNS provides both application-to-
person (A2P) and application-to-application
(A2A) communication.
 Some typical A2P endpoints include:
– Mobile push notifications to mobile apps or
mobile phone numbers
– Mobile text messages (SMS)
– Email addresses
 Some standard A2A endpoints include:
– AWS Lambda functions
– Amazon Kinesis Data Firehose delivery streams
– Amazon SQS queues
– HTTP/S

491.  Sending messages directly to millions of
subscribers
 Delivering messages reliably
 Scaling workloads automatically
 Ensuring message accuracy
 Simplifying your messaging architecture

494.  The Amazon Simple Queue Service (Amazon SQS) is
a service for storing, retrieving, and delivering large
numbers of messages between applications.
 You can use Amazon SQS to help build decoupled
applications that separate functions into separate
components.
 You can use Amazon SQS to:
– Amass an accumulation of messages and pass them
between different web servers.
– Build resiliency against component failure in case
demand surges. Or if a considerable number of users
are trying to access your data simultaneously.
– Distribute the load between different regions and
servers to manage surges in traffic.

495.  Components
– Components of your distributed system can be producers or consumers.
– Producers send messages to the queue.
– Consumers receive messages from the queue.
 Queue
– A queue contains a set of messages. AWS offers two types of queues:
• Standard queues: Support an almost unlimited number of API calls per second,
per API action. Standard queues support at-least-once message delivery.
• FIFO (First-In-First-Out) queues: Provide enhanced messaging between
applications when the order of operations and events is critical, or where
duplicates can’t be tolerated.
 Queue names
– Amazon SQS assigns each queue created an identifier called a queue URL.
– The queue URL includes the queue name and other Amazon SQS
components such as the AWS account and region.
– The queue URL has the following structure:
https://sqs.us-east-2.amazonaws.com/<AWS account>/<queue name>
 Messages
– Messages can be in any format as long as they are only up to 256 KB.
– The default message retention period is 4 days. Eac

496. 1. A producer component sends message 1 to a
queue. This message is redundantly distributed
across the Amazon SQS servers.
2. When a consumer component is ready to process
messages, it retrieves message 1 from the queue. A
visibility timeout begins. While message 1 is being
processed, it remains in the queue. However, it isn’t
available for subsequent retrieval requests during
the visibility timeout.
3. When processing is complete for message 1, the
consumer component deletes message 1 from the
queue to prevent the message from being
retrieved and processed again when the visibility
timeout expires.

498. Which of the following are true about how
publishers communicate using Amazon SNS?
Select all that apply.
A. Publishers communicate asynchronously
with subscribers.
B. Publishers communicate synchronously with
subscribers.
C. Publishers communicate asynchronously
with consumers.
D. Publishers communicate synchronously with
producers.
A and C

499. Which of the following are A2P endpoints for
Amazon SNS? Select all that apply.
A. Mobile push notifications
B. Amazon SQS queues
C. Mobile text messages (SMS)
D. Email addresses
E. HTTP/S
A, C, and D

500. What kind of queue can you use to preserve
any messages that aren’t delivered before the
delivery retry policy ends? Choose the best
response.
A. Push queue
B. Retry queue
C. Hold-letter queue
D. Dead-letter queue
D

501. In Amazon SQS, which type of queue provides
enhanced messaging between applications
when the order of operations and events is
critical or where duplicates can’t be tolerated?
Choose the best response.
A. Dead-letter queue
B. Standard queue
C. FIFO queue
D. Push queue
C

502. What is the maximum length of an Amazon
SQS message? Choose the best response.
A. 156 KB
B. 256 KB
C. 356 KB
D. 498 KB
B

503. Which of the following are true when building
applications that use Amazon SQS? Select all
that apply.
A. You can decouple your application’s
functions into separate components.
B. You cannot decouple your application’s
functions into separate components.
C. Decoupled applications tend to provide
better resiliency across large workloads.
D. Decoupling the application components
does not allow them to scale independently.
A and C

504. In this module, you'll learn how to:
 Describe the internet of things (IoT)
 Describe AWS IoT products such as AWS IoT
Core, AWS IoT Device Management, AWS
IoT Device Defender, and AWS IoT 1-Click

505.  The internet of things (IoT) describes
connecting physical objects—things—to the
internet.
 These objects are embedded with software,
sensors, and other technologies that allow
them to connect and exchange data with other
devices or systems over the internet.
 These objects, also known as IoT devices, have
some processing power to control
communications.
 The stream of data they generate (typically
readings and measurements from sensors) is
known as telemetry.

506.  Things
– Physical “things” or devices that have embedded
sensors and are connected to the internet. These things
send telemetry data to a back-end application or
service that is hosted on the cloud.
 Insights
– Results from processing and analyzing the telemetry.
These insights are produced from real-time analysis,
machine learning, and other backend processes.
 Actions
– Automated or manual responses to the insights.
Actions can include things like:
• Automatically changing device settings
• A manual intervention to repair a piece of equipment
• An update to a computer system

507.  Examples of IoT devices and the type of
sensor they might include are:
– Thermostats with temperature and humidity
sensors
– A CPAP medical device with pressure,
temperature, and humidity sensors
– A fitness tracker with accelerometer,
gyroscope, and altimeter sensors
– A bank vault with presence sensors

508.  Typically, an IoT device sends readings or
measurements from its sensors to back-end
services in the cloud (device-to-cloud
communication).
 Cloud-to-device communication is also
possible where the back-end service sends
commands to the IoT device.

509.  Receiving readings and measurements from
devices
 Determining how to process and store data.
 Analyzing the readings and measurements to
provide either real-time or after the fact
insights.
 Sending commands from the cloud to all or
specific devices.
 Determining which devices can connect to
your infrastructure.
 Monitoring the state of devices.
 Managing the firmware installed on devices.

512.  AWS IoT SiteWise
– Allows you to collect, organize and analyze
industrial data at scale.
 AWS IoT Events
– A fully managed IoT service. It allows you to
detect and respond to events from massive
numbers of IoT sensors and applications.
 AWS IoT Analytics
– A fully-managed service. It allows you to run
complex analytics on massive volumes(up to
petabytes) of IoT data.

513.  AWS IoT Device Management
– An AWS service that makes it easy to register, organize,
monitor, and remotely manage IoT devices securely and at
scale.
 AWS IoT Core
– Connect your IoT devices to the AWS cloud without needing
to deploy or manage servers.
– Supports trillions of messages and billions of devices.
 AWS IoT Device Defender
– A fully managed security service for your fleet of IoT devices.
– Constantly audits your IoT configurations to ensure that they
aren’t deviating from pre-defined security best practices.
 AWS IoT Things Graph
– An AWS service that allows you to visually connect these
different web services and devices when building your IoT
applications.

514.  AWS IoT Greengrass
– An IoT open-source cloud service and edge
runtime. Using IoT Greengrass, you can build,
deploy, and manage software for your devices.
 FreeRTOS
– An open-source, real-time OS for small, low-
power edge devices that use microcontrollers.
– Makes it easy to program, deploy, connect,
secure, and manage your devices.
– Consists of a kernel and a growing set of
software libraries.

515.  A simplified IoT solution that enables simple devices to
trigger AWS Lambda functions. Then, the Lambda
functions execute an action
 You can find IoT 1-Click supported devices at
https://aws.amazon.com/iot-1-click/devices/
 Some examples of simple devices include but are not
limited to:
– Button-like devices that can be clicked to trigger particular
actions.
– Asset trackers that trace containers in warehouses or trucks
transporting materials.
– Temperature sensors that track and control temperatures
control based on temperatures reaching pre-defined
thresholds.
– Card readers that track entry/exit of authorized personnel
into offices, data centers, factories, laboratories, or other
places with controlled access.

517. You are developing an IoT solution that requires
a managed service that provides communication
between AWS applications and massive numbers
of your IoT devices. Which AWS service would
you recommend? Choose the best response.
A. IoT Events
B. IoT Device Defender
C. IoT Analytics
D. IoT 1-Click
A

518. Which of the following AWS services provide
a high level of security for IoT devices?
Choose the best response.
A. IoT Core
B. IoT Device Management
C. IoT Device Defender
D. IoT SiteWise
C

519. Which AWS IoT service provides software that
runs on a gateway that resides on-premises?
Choose the best response.
A. IoT Core
B. IoT Device Management
C. IoT Events
D. IoT SiteWise
D

520. AWS IoT Core enables simple devices to
trigger AWS Lambda functions. True or false?
A. True
B. False
B

521. With AWS IoT Device Management, you can
send firmware updates OTA. True or false?
A. True
B. False
A

522. Which of the following is an AWS service that
allows you to visually connect these different
web services and devices when building your
IoT applications? Choose the best response.
A. IoT Things Graph
B. IoT Analytics
C. IoT Events
D. IoT SiteWise
A

523. Your organization is creating an app that tracks
humidity and temperature in refrigerated cases?
You need to be able to analyze the data even
though there might be gaps in the telemetry.
Which AWS IoT service would help with this
requirement? Choose the best response.
A. IoT Things Graph
B. IoT Analytics
C. IoT Events
D. IoT SiteWise
B

524. Which AWS IoT service allows you to select a
preferred connection protocol? Choose the
best response.
A. IoT Device Defender
B. IoT Greengrass
C. IoT Events
D. IoT Core
D

525. Which AWS IoT device software is an edge
runtime? Choose the best response.
A. FreeRTOS
B. IoT Greengrass
C. IoT SiteWise
D. IoT Core
B

526. With IoT Events, you Define each event’s logic
using basic if-then-else statements. True
or false?
A. True
B. False
A

527. In this module, you'll learn how to:
 Explain Big Data and Analytics and AWS
products such as Amazon Athena, Amazon
EMR, Amazon Redshift, Amazon Kinesis,
Amazon Elasticsearch Service, Amazon
Quicksight, and AWS Glue
 Describe Artificial Intelligence (AI) and
Machine Learning (ML) and identify AWS AI
and ML services such as Amazon Kendra,
Amazon Comprehend, Amazon Personalize,
and Amazon SageMaker

528.  When talking about big data, there are
three concepts to remember that are called
the “three Vs” of big data:
– Volume—the amount of data
– Variety—data comes from a wide range of
sources and formats
– Velocity—the speed at which data needs to be
collected, stored, processed, and analyzed

529. Service name Used to…
Amazon Athena Query data in S3 using SQL. Interactive analytics
Amazon EMR Provide a hosted Hadoop framework and big data
processing
Amazon Redshift Perform data warehousing
Amazon Kinesis Analyze real-time video and data streams
Amazon Elasticsearch
Service
Run and scale Elasticsearch clusters Operational
analytics
Amazon Quicksight Create dashboards and visualizations
AWS Glue DataBrew Clean and normalize data visual data preparation
AWS Glue Prepare and load data
AWS Lake Formation Build secure data lakes
AWS Deep Learning
AMIs
Perform deep learning on EC2
Amazon SageMaker Build, train, and deploy machine learning models at
scale.

531.  Amazon Athena is an interactive query
service.
 Using Amazon Athena, you can analyze
data in Amazon S3 using standard SQL
queries.
 Athena is serverless, so you don’t need to
manage any infrastructure.
 Athena automatically performs software
updates and scales your infrastructure as
your datasets and number of users grow.

532.  It’s cost-effective
 It’s easy to get started
 It’s serverless
 It uses standard SQL for queries
 It’s fast
 It’s durable and highly available
 It’s secure
 It integrates with AWS Glue
 It can execute federated queries

533.  Amazon EMR is a managed analytics service
that lets you use open-source frameworks
such as:
– Hadoop
– Apache Spark
– Apache Hive
– Apache HBase
– Apache Flink
– Apache Hudi
– Presto

534.  Amazon EMR can be deployed on three
platforms:
– Amazon EC2—EMR manages provisioning,
management, and scaling of the EC2 instances.
– Amazon EKS—EMR runs on-demand Apache
Spark jobs on Amazon EKS without needing to
provision EMR clusters.
– AWS Outposts—EMR allows you to set up,
deploy, manage, and scale EMR in your on-
premises environments, just as you would in
the cloud.

535.  Batch processing (ETL)
 Machine learning
 Clickstream analysis
 Real-time streaming
 Interactive analytics

536.  Apache Hadoop framework
 Apache Spark
 Apache HBase
 Apache Flink
 Apache Hudi
 Presto

537. 1. Develop your data processing application. EMR
supports many programming languages.
2. Upload your application and data to Amazon S3.
3. Configure and launch your cluster.
4. Monitor the cluster using the AWS Management
console and Amazon CloudWatch.
5. Retrieve and visualize the output. The output
comes from Amazon S3 or HDFS on the cluster.
You can use visualization tools such as Amazon
QuickSight, MicroStrategy, and Tableau.

538.  AWS Glue is a fully managed, serverless ETL
(extract, transform, and load) service. AWS
Glue is built for complex projects such as:
– Building event-driven ETL (extract, transform,
and load) pipelines
– Finding data across multiple data stores by
creating and using a unified catalog
– Preparing and exploring data visually
– Building views to combine and replicate data

539.  The pharma company collects petabytes of clinical data logs
that are produced by clinical sites and stored in the cloud. The
company wants to analyze the clinical data logs to gain insights
into trial performance, side-effects, and other usage
information. It also wants to identify additional treatment
opportunities, develop compelling new therapeutics, drive
business growth, and provide a better experience to its trial
participants.
– To extract insights, the company hopes to use Amazon EMR with a
Spark cluster in the cloud to process and transform the joined data.
– The transformed data is then published into an AWS Lake Formation
data warehouse where reports can be generated.
– The company wants to automate this workflow so they can monitor
and manage it daily.
– They also want to execute this workflow when files arrive in an S3
storage container.
– The platform the company can use to solve this data scenario is AWS
Glue. You can use AWS Glue to schedule and create data-driven
pipelines (workflows) that can ingest data from different data stores.

540.  AWS Glue Data Catalog
 Job
 Crawler
 Connection
 Data store
 Data source
 Data target
 Dynamic Frame
 Table
 Transform
 Trigger

541.  A paid service that allows everyone in your
organization to understand your data by
asking questions in natural language,
exploring through interactive dashboards,
or automatically looking for patterns and
outliers powered by machine learning.

543.  Artificial intelligence (AI) is a computer
system or machine that can perform tasks
that typically require human intelligence.
 Machine learning (ML) is an application of
AI where systems can automatically learn
and develop from experience without being
programmed directly.

544.  AWS Machine Learning is a cloud-based
environment for creating and managing ML
models. You can build, train, test, deploy,
and track your models using a workspace.
 SageMaker Studio is a fully integrated
development environment (IDE) for
machine learning. You can use SageMaker
Studio to build, train, and deploy ML
models at scale.

545. Service Used to…
Amazon SageMaker
Autopilot
Provide automated machine learning capabilities that deliver complete visibility
into your ML models.
Amazon SageMaker
Ground Truth
Build extremely accurate training datasets for ML. Ground Truth uses custom or
built-in data labeling workflows for videos, images, text, and 3D point clouds.
Amazon SageMaker
JumpStart
Provide a set of solutions for common ML use cases and offers one-click
deployable solutions, pre-trained ML models, and example notebooks.
Amazon SageMaker Data
Wrangler
Radically reduce the time it takes to prepare and aggregate data for ML.
Amazon SageMaker
Feature Store
Provide a purpose-built repository to share, store, retrieve, and update ML
features.
Amazon SageMaker
Clarify
Deliver transparency to your models by detecting bias across the ML workflow
and explaining model behavior.
Amazon SageMaker
Debugger
Optimize ML models with real-time monitoring of training metrics and system
resources.
Amazon SageMaker
Model Monitor
Detect and remediate concept drift to keep models more accurate over time.
Distributed Training Automatically partition model and training data with distributed training on
Amazon SageMaker.
Amazon SageMaker
Pipelines
Deliver a continuous integration and continuous delivery (CI/CD) service for ML.
Amazon SageMaker Edge
Manager
Help you efficiently monitor and manage ML models running on edge devices.

548. Service name Used to…
Amazon Comprehend Provide natural language processing to extract insights and relationships from
unstructured text.
Amazon CodeGuru Automate code reviews and identify expensive lines of code.
Amazon Lex Build conversational agents to improve customer service.
Amazon Forecast Build accurate forecasting models. Forecast is based on the same ML
forecasting technology that Amazon.com uses.
Amazon Textract Automatically and quickly extract text and data from millions of documents.
Amazon Kendra Add natural language search capabilities to your apps. This allows your users
to quickly find the information they need.
Amazon Fraud
Detector
Identify possible fraudulent online activities. Fraud Detector is based on the
same technology that Amazon.com uses.
Amazon Rekognition Add video and image analysis to your applications. Rekognition allows you to
catalog assets, automate media workflows, and extract insights.
Amazon Personalize Personalize experiences for your customers based on the same ML technology
used by Amazon.com.
Amazon Translate Expand your reach through efficient translations to reach audiences in
multiple languages.
Amazon Polly Give voice to your applications by turning text into life-like speech.
Amazon Transcribe Add high-quality speech-to-text capabilities to your applications and
workflows.

550. Which of the following is a serverless,
interactive analytics service? Choose the best
response.
A. Amazon Athena
B. Amazon Quicksight
C. Amazon EMR
D. AWS Glue
A

551. Which of the following is a fully managed,
Apache Spark-based analytics platform
optimized for AWS? Choose the best
response.
A. Amazon Athena
B. Amazon Quicksight
C. Amazon EMR
D. AWS Glue
C

552. Which of the following does Athena
integrated with that allows you to create a
unified metadata repository across various
services? Choose the best response.
A. AWS Glue Data Catalogs
B. Amazon Quicksight
C. Amazon Kinesis
D. Amazon EMR
A

553. An AWS Glue Dynamic Frame is self-
describing. True or false?
A. True
B. False
A

554. In AWS Glue, which component is a program
that connects to a data store, determines your
data’s schema, and then creates metadata
tables in the Glue Data Catalog? Choose the
best response.
A. Job
B. Crawler
C. Cluster
D. Dynamic Frame
B

555. Which of the following is a fully integrated
development environment for machine
learning? Choose the best response.
A. AWS Glue
B. Amazon Kinesis
C. Amazon Quicksight
D. SageMaker Studio
D

556. Match the AI in Column A to its description in
Column B.
Answer: 1-C, 2-A, 3-D, 4-B, 5-F, 6-E
1. Amazon Comprehend A. Add natural language search capabilities to your apps so
users can quickly find the information they need.
2. Amazon Kendra B. Customize experiences for your customers based on the
same ML technology used by Amazon.com
3. Amazon Rekognition C. Provide natural language processing to extract insights
and relationships from unstructured text.
4. Amazon Personalize D. Add video and image analysis to your applications to
catalog assets.
5. Amazon Polly E. Add high-quality speech-to-text capabilities to your
applications and workflows.
6. Amazon Transcribe F. Give voice to your applications by turning text into life-
like speech.

557. Which AWS AI service would you choose to
create an application with a conversational
interface? Choose the best response.
A. Amazon Transcribe
B. Amazon Polly
C. Amazon Rekognition
D. Amazon Lex
D

558. Which Amazon SageMaker service radically
reduces the time it takes to prepare and
aggregate data for ML? Choose the best
response.
A. JumpStart
B. Ground Truth
C. Data Wrangler
D. Pipelines
C

559. Your organization is setting up an AWS
solution that requires the ability to analyze all
of your data with a fast cloud data warehouse.
Which of the following would you choose?
Select all that apply.
A. Amazon Redshift
B. AWS Lake Formation
C. Amazon SageMaker
D. Amazon Quicksight
A and B

560. In this module, you'll learn how to:
 Describe DevOps solutions available on
AWS such as AWS CodeCommit,
CodeArtifact, CodeBuild, CodeDeploy, and
CodePipeline
 Describe other AWS developer tools such as
Cloud9, AWS CodeStar, and X-Ray

561.  DevOps (Development and Operations) is a
collection of principles and general practices
that stresses the collaboration of developers
and IT operations teams to form an
environment where software can be rapidly
developed, tested, and released in a largely
automated process.
 Amazon provides several services for
developers including:
– CodeCommit
– CodeArtifact
– CodeBuild
– CodeDeploy
– CodePipeline

563.  AWS CodeCommit is a source code version
control service.
 Using CodeCommit, you can store and
manage private Git repositories in the AWS
cloud.
 A repository is a hosting environment for
organizing a code or application
development project.
 A repository can contain anything a project
needs, including folders, files, images,
videos, spreadsheets, and data sets.

565.  AWS CodeArtifact is a fully managed artifact
repository service. You can use CodeArtifact to
securely store and share the software packages
you use for application development.
 Benefits
– Use packages from public artifact repositories
– Publish and share packages
– Approve packages for use
– View statistics on package usage
– Enable access control and monitoring
– Use AWS PrivateLink endpoints to access packages
within a VPC

567.  AWS CodeBuild is a fully managed
continuous integration service that compiles
source code, runs tests, and produces
software packages that you can deploy.
 With CodeBuild, you don’t need to
provision, scale, or manage build servers;
the infrastructure is included as part of the
CodeBuild service.

568.  Build project
 Build environment
 Build commands
 Build specification (buildspec)

570.  AWS CodeDeploy is a fully managed
deployment service that automates software
deployments to various compute services such
as AWS Lambda, AWS Fargate, Amazon EC2, or
on-premises servers. CodeDeploy provides the
following benefits:
– Automated software deployments
– Rapidly introduce new features in applications
– Minimized downtime by introducing changes
incrementally
– Centralized control over deployments with the
CloudDeploy console
– Works with any platform, language, or application

571.  Application
 Compute platform
 Deployment configuration
 Deployment group
 Deployment type
 IAM instance profile
 Revision
 Service role
 Target revision

573.  AWS CodePipeline is a continuous delivery
service that you can use to build, test, and
release deployments for your applications.

574.  Pipelines
 Stages
 Actions
 Pipeline executions
 Stopped executions
 Failed executions
 Superseded executions
 Stage executions
 Action executions
 Action types
 Transitions
 Artifacts
 Source revisions

578.  Cloud9
 AWS CodeStar
 X-Ray

579.  AWS Cloud9 is a cloud-based integrated
development environment (IDE) that you
use to write, run, and debug code.
 You can build applications that will run on a
server or applications for serverless
environments.
 You can use any machine with a browser to
use Cloud9.

582.  AWS CodeStar is a cloud-based service for
creating, managing, and working with
software development projects on AWS.
 AWS CodeStar provides a unified user
interface for multiple development
activities.

584.  AWS X-Ray is a development tool that
makes it easy for developers to analyze the
behavior of their distributed applications.
 X-Ray offers services such as
– Debugging
– Tracing
– Service mapping

588. Your organization needs to create a repository
for a development project. Which AWS
service will fit this requirement? Select all that
apply.
A. CodeCommit
B. CodeArtifact
C. CodeBuild
D. CodeDeploy
A and B

589. Which AWS development tool feature
provides build and release services to support
continuous integration of your apps? Choose
the best response.
A. CodeBuild
B. CodePipelines
C. CodeDeploy
D. X-Ray
A

590. Which AWS development tool is an integrated
development environment (IDE) that you use
to write, run, and debug code? Choose the
best response.
A. CodeStar
B. CodeBuild
C. CodeArtifact
D. Cloud9
D

591. An artifact is a group of build commands and
associated settings that CodeBuild uses to run
a build. True or false?
A. True
B. False
B

592. Which of the following AWS developer tools
are NOT part of the Developer Tools console?
Select all that apply.
A. Cloud9
B. CodeBuild
C. CodeDeploy
D. X-Ray
E. CodeStar
A, D, and E

593. Which one of the following AWS services
provides a cloud-based service for creating,
managing, and working with software
development projects on AWS? Choose the best
response.
A. CloudCommit
B. CodeBuild
C. CodeStar
D. CodeDeploy
E. Cloud9
C

594. A pipeline must have at least two stages. True
or false?
A. True
B. False
A

595. Which of the following are the collections of
data that are worked on by pipeline actions?
Choose the best response.
A. Pipelines
B. Artifacts
C. Actions
D. Deployments
E. Repositories
B

596. Which of the following services does X-Ray
perform? Select all that apply.
A. Debugging
B. Deployments
C. Service mapping
D. Tracing
E. Code storage
A, C, and D

597. Your organization wants to deploy serverless
AWS Lambda functions using CodeDeploy.
Will CodeDeploy meet this requirement? Yes
or No?
A. Yes
B. No
A

598. You should now know how to:
 Describe AWS messaging and queuing and AWS products such
as Amazon Simple Notification Service (Amazon SNS) and
Amazon Simple Queue Service (Amazon SQS)
 Describe the internet of things (IoT) and AWS IoT products such
as AWS IoT Core, AWS IoT Device Management, AWS IoT Device
Defender, and AWS IoT 1-Click
 Explain Big Data and Analytics and AWS products such as
Amazon Athena, Amazon EMR, Amazon Redshift, Amazon
Kinesis, Amazon Elasticsearch Service, Amazon Quicksight, and
AWS Glue
 Describe Artificial Intelligence (AI) and Machine Learning (ML)
and identify AWS AI and ML services such as Amazon Kendra,
Amazon Comprehend, Amazon Personalize, and Amazon
SageMaker
 Describe DevOps solutions such as AWS CodeCommit,
CodeArtifact, CodeBuild, CodeDeploy, CodePipeline, Cloud9,
AWS CodeStar, and X-Ray

599. In this chapter, you'll learn how to:
 Describe cloud security fundamentals and
AWS security services
 Explain authentication and authorization for
the AWS cloud
 Describe AWS detection and incident
response services
 Describe AWS infrastructure and data
protection services

600. In this module, you'll learn how to:
 Describe the shared responsibility model for
security
 Describe the defense in depth model
 Describe AWS security service categories
and services

601. Cloud services have multiple potential security challenges,
some of which are unique and others that are shared with
traditional network services.
 Any cloud service is still a network service and is subject
to network attacks.
 Using an off-premises cloud service requires secure
communications to and from the cloud.
 Apart from the need for secured communications with
outside providers, using a cloud service for sensitive
information means giving a lot of control of its handling
over to another entity.
 Attacks on public cloud services can affect several or
even all customers at a time.
 Different cloud services have varying privacy policies on
how they might share customer data and information
and precisely what jurisdictional privacy laws apply.

602.  Confidentiality
– Ensuring that information is viewable only by
authorized users or systems, and is either
inaccessible or unreadable to unauthorized
users.
 Integrity
– Ensuring that information remains accurate and
complete over its entire lifetime.
 Availability
– Ensuring that information is always easily
accessible to authorized users.

603.  Risk
– The chance of harm coming to an asset.
 Threat
– Anything that can cause harm to an asset.
 Vulnerability
– Any weakness the asset has against potential
threats.

604.  Security becomes a shared concern shared by
both cloud providers and customers. This is
called the shared responsibility model.
 In this shared responsibility model for security,
the cloud provider is responsible for the
“security of the cloud.” This means the cloud
provider is responsible for all the infrastructure
that runs cloud services.
 The customer has responsibilities, as well. They
are responsible for “security in the cloud.” This
means customers need to manage the
configuration of cloud resources that they use.

607.  Identity & access management
 Detection
 Infrastructure protection
 Data protection
 Incident response
 Compliance

608. Service Used to…
AWS Identity & Access
Management (IAM)
Manage access to resources and services
AWS Single Sign-On Provide single-sign-on (SSO) service to
cloud services
Amazon Cognito Manage app identities
AWS Directory Service Provide a managed Microsoft Active
Directory (AD)
AWS Resource Access
Manager
Securely manage and share AWS
resources
AWS Organizations Centrally manage and control related AWS
accounts

609. Service Used to…
AWS Security Hub Provide a cohesive security and
compliance center
Amazon GuardDuty Manage threat detection
Amazon Inspector Analyze application security
AWS Config Record and evaluate AWS resource
configurations
AWS CloudTrail Track user activity and API usage

610. Service Used to…
AWS Network Firewall Provide network security
AWS Shield Provide DDoS protection
AWS Web Application
Firewall (WAF)
Filter malicious web traffic
AWS Firewall Manager Centrally manage firewall rules

611. Service Used to…
Amazon Macie Find and protect your sensitive data at
scale
AWS Key Management
Service (KMS)
Manage and store keys
AWS CloudHSM Store hardware-based keys for regulatory
compliance
AWS Certificate Manager Provision, deploy, and manage public and
private SSL/TLS certificates
AWS Secrets Manager Rotate, manage, and retrieve secrets

612. Service Used to…
Amazon Detective Investigate potential security issues
CloudEndure Disaster
Recovery
Provide quick, automated disaster
recovery

613. Service Used to…
AWS Artifact Provide on-demand access to compliance
reports and agreements
AWS Audit Manager Audit AWS usage and assess compliance
and risks

615. Which of the following is anything that can
cause harm to an asset? Choose the best
response.
A. Risk
B. Threat
C. Vulnerability
D. Incident
B

616. Which of the following describes the shared
security model? Select the best two responses.
A. The cloud provider is responsible for security
of the cloud.
B. The cloud provider is responsible for security
in the cloud.
C. The customer is responsible for security of
the cloud.
D. The customer is responsible for security in
the cloud.
A and D

617. Order the defense of depth from top to the
bottom of the illustration.
1. Host
2. Data
3. Users and organization
4. Internal network
5. Application
6. Perimeter network
7. Physical facility
Correct Order is: 2, 5, 1, 4, 6, 7, 3

618. Which AWS identity & access management
service allows you to manage identities for
your apps? Choose the best response.
A. AWS Identity & Access Management
(IAM)
B. Amazon Inspector
C. AWS Resource Access Manager
D. Amazon Cognito
D

619. Which AWS detection service provides a
threat detection service? Choose the best
response.
A. AWS Security Hub
B. Amazon Inspector
C. Amazon GuardDuty
D. AWS CloudTrail
C

620. Which AWS infrastructure service provides
DDoS protection? Choose the best response.
A. AWS Security Hub
B. AWS Network Firewall
C. AWS Shield
D. AWS Web Application Firewall (WAF)
C

621. Which AWS data protection service allows
you to store hardware-based keys for
regulatory compliance? Choose the best
response.
A. Amazon Macie
B. AWS Key Management Service (KMS)
C. AWS Certificate Manager
D. AWS CloudHSM
D

622. Which incident response service allows you to
investigate potential security issues? Choose
the best response.
A. AWS Artifact
B. Amazon Detective
C. Amazon Inspector
D. AWS Audit Manager
B

623. Which AWS service allows you to access
compliance reports? Choose the best
response.
A. AWS Artifact
B. AWS Certificate Manager
C. AWS Audit Manager
D. Amazon Inspector
A

624. In this module, you'll learn how to:
 Explain the difference between
authentication and authorization
 Describe the functionality and usage of
multi-factor authentication (MFA) and single
sign-on (SSO)
 Describe the functionality and usage of
AWS Directory Service

625. Authentication Verification of a principal’s identity, for
example, via a user name/password or an
ID card. Authentication is sometimes
referred to as AuthN.
Authorization Specifying the exact resources a given
authenticated user is allowed to access.
Accounting Tracking the actions of an authenticated
user for later review.

626. Knowledge Something you know, like a password, PIN,
or answer to a challenge question.
Possession Something you have, like a physical key, ID
badge, or smart card. Traditionally, this
includes any form of digital data a human
can’t be expected to memorize.
Inherence Something you are, a unique physical or
behavioral characteristic like a fingerprint,
voiceprint, or signature. Biometrics are
inherence elements based on personal
physical characteristics.

627.  Somewhere you are
– Recognizing a network user’s physical location.
 Something you can do
– Behavioral recognition, such as analyzing the
pattern of someone’s keystrokes to recognize a
typing pattern.
 Something you exhibit
– Behaviors of a more inherent sort, like personality
traits or even detectable neurological activities.
 Someone you know
– Connections to another person who is trusted via
personal relationships or chain of trust
authentication systems.

628.  There are two main types of authentication
and authorization protocols used in AWS:
SAML and OAuth and OpenID.

629.  Security Assertion Markup Language
(SAML) is an open XML-based standard
that’s used to exchange authentication and
authorization information.
Principal A client seeking to be
authenticated, typically an end-
user.
IdP An Identity Provider is an
authentication server that holds a
directory of users and their
permissions. SAML federations can
have any number of IdPs.
SP A Service Provider is a server
containing resources, such as a
web application.

630.  AWS supports the OpenID Connect (OIDC)
protocol for handling authentication and
the Open Authorization (OAuth) 2.0
protocol for handling authorization.

632.  Multi-factor-authentication (MFA) and
single sign-on (SSO) are methods of
controlling identity authentication and
authorization.

633.  Multi-factor
authentication (MFA)
provides additional
security by requiring
two or more elements
from the
authentication factors
for full authentication.
 Two-factor
authentication (2FA) is
popular for modern
high-security
applications.

634.  To protect your AWS resources, Amazon recommends
configuring multi-factor authentication (MFA). You can
enable MFA for the AWS account root user and for IAM
users.
 AWS supports the following MFA mechanisms to access
AWS websites or services:
– Virtual MFA device—an app that runs on a mobile device or
phone and imitates a physical device.
– U2F security key—a device that you plug into a computer’s
USB port and then tap it instead of entering a code
manually.
– Hardware MFA device—a hardware device that generates a
six-digit numeric code that the user must type during sign-
in on another web page.
– SMS text message MFA—the user’s SMS compatible mobile
device number is used by AWS to send a six-digit numeric
code by SMS text message to the device so the user can
enter the code.

635.  Single sign-on (SSO) systems allow users to
access many services with one set of
credentials.

636.  You can use AWS SSO with your AWS
applications to perform authentication and can
access user or group information.
 AWS SSO accomplishes this by providing an
identity store that contains user and group
attributes but doesn’t include their sign-in
credentials. There are two methods to keep an
AWS SSO identity store up to date:
– Use the AWS SSO identity store as your main
identity source so it is always up to date.
– Set up synchronization (provisioning) of users and
groups coming from either Active Directory or an
external identity provider to your AWS SSO identity
store.

638.  AWS Managed Microsoft AD
– AWS Managed Microsoft AD is built on Microsoft’s Active
Directory (Microsoft AD). You don’t need to replicate or
synchronize your data from your existing Active Directory to the
cloud.
 AD Connector
– AD Connector is a proxy service that you can use to connect
compatible applications and EC2 for Windows Server instances
to your current on-premises Microsoft AD.
 Simple AD
– Simple AD is a standalone Microsoft AD–compatible directory
that is powered by Samba 4. Simple AD supports basic AD
features such as user accounts, groups, joining a Windows
based EC2 instance or Linux domain, group policies, and
Kerberos-based SSO.
 Amazon Cognito
– Amazon Cognito is a user directory that adds identity services
to your web or mobile apps using Amazon Cognito User Pools.

640. Your organization has several solutions on AWS.
You want to allow users to sign onto several
different apps using the same credentials. Which
of the following services is best suited to
accomplish this? Choose the best response.
A. SSO
B. IAM policies
C. AWS Connect
D. MFA
A

641. Which of the following is true for AWS authentication and
authorization? Choose the best response.
A. It uses OpenID Connect protocol for handling
authentication and the OAuth 2.0 protocol for
handling authorization.
B. It uses OAuth 2.0 protocol for handling
authentication and the OpenID Connect protocol for
handling authorization.
C. It uses OpenID Connect protocol for handling
authentication and the SAML protocol for handling
authorization.
D. It uses SAML protocol for handling authentication
and the OAuth 2.0 protocol for handling
authorization.
A

642. Which authentication factor includes
biometrics? Choose the best response.
A. Knowledge
B. Possession
C. Inherence
D. Location
C

643. Your organization is deploying several solutions
in AWS. You want to centrally manage identities
for accessing AWS resources and signing into
Microsoft 365. Which of the following would you
recommend using? Choose the best response.
A. Amazon Cognito
B. Simple AD
C. AWS Connect
D. AWS Managed Microsoft AD
D

644. Which of the following requires two or more
elements from the authentication factors for
full authentication? Choose the best response.
A. AWS Microsoft Managed AD
B. SSO
C. Simple AD
D. MFA
D

645. Your organization uses has several web and
mobile apps that collect user identities. Which
AWS Directory Service can you use to manage
these identities? Choose the best response.
A. SSO
B. Simple AD
C. Amazon Cognito
D. AD Connector
C

646. You want to use Microsoft AD to provide a single
user identity that can be used for authentication
and authorization to all resources, no matter
where the resource is located (cloud or on-
premises). Which of the following services would
you recommend? Choose the best response.
A. AWS Managed Microsoft AD
B. Simple AD
C. Amazon Cognito
D. AD Connector
D

647. Your organization is planning on deploying a
solution in the AWS cloud. They are planning
to implement MFA for identities hosted in
AWS. Is it necessary to deploy a federation
solution or sync on-premises identities to the
cloud?
A. Yes
B. No
B

648. In this module, you'll learn how to:
 Describe the functionality of AWS detection
services
 Describe AWS incident response services

649.  Intrusion detection systems and intrusion
prevention systems (IDS and IPS) monitor
networks for suspicious behaviors.
Service Used to…
AWS Security Hub Provide a cohesive security and
compliance center
Amazon GuardDuty Manage threat detection
Amazon Inspector Analyze application security
AWS Config Record and evaluate AWS resource
configurations
AWS CloudTrail Track user activity and API usage

650.  AWS Security Hub is an all-encompassing
security monitoring service. Security Hub
gathers security data from across AWS
accounts, services, as well as from
supported third-party partner products.
 In the AWS Security Hub, you can view
findings, alerts, and recommendations to
improve your security posture.

651.  Amazon GuardDuty is a security monitoring
service that continuously scans your AWS
workloads for security issues.
 You can use GuardDuty to analyze and
process data from a wide variety of sources.
Data sources include log files from:
– VPC flows
– AWS CloudTrail management events
– CloudTrail S3 data events
– DNS events

652.  Account
– A standard AWS account that contains your AWS resources.
 Detector
– An object that represents the GuardDuty service in a region. For
each region where you use GuardDuty, a separate detector is
created.
 Data source
– The location of the data that will be processed by GuardDuty.
 Finding
– A possible security issue detected by GuardDuty.
 Suppression rule
– A combination of attributes that you can use to silence findings.
 Trusted IP list
– A list of IP address that your AWS environment trusts and won’t
produce findings when they communicate with your environment.
 Threat list
– A list of known malicious IP addresses that GuardDuty will
generate findings for if they are detected.

654.  Amazon Inspector is an automated security
assessment service. You can use Inspector
to improve the security and compliance of
your applications deployed on AWS.
 You can use Amazon Inspector to
automatically assess applications for
vulnerabilities, exposures, and departures
from best practices.

655.  Amazon Inspector agent
– An Amazon Inspector agent is a software component that you can install on the EC2
instances that are included in an assessment target. The Amazon Inspector agent collects
a wide set of configuration data (telemetry).
 Assessment run
– The process of analyzing an assessment target’s configuration against specified rules
packages to discover potential security issues.
 Assessment target
– A group of AWS resources for which Amazon Inspector evaluates the security state.
 Assessment template
– An assessment template is a set of specifications that is used during your assessment
run.
 Finding
– A finding is a potential security issue that Inspector finds during an assessment run of a
specified target.
 Rule
– A rule is a security check that Inspector performs during an assessment run.
 Rules package
– A rules package is group of rules that Inspector uses during an assessment run.
 Telemetry
– The telemetry comes from the installed software configuration and package information
for an EC2 instance.

656.  To start using Inspector, you can enable it
using the AWS Management console. Sign
in to your AWS Management console, and
then click Services > Inspector. Inspector is
under Security, Identity, & Compliance.

658.  AWS Config is a service that allows you to
audit, assess, and evaluate the
configurations of your AWS resources.
 Config continuously monitors and records
your AWS resources’ configurations.

659. 1.A configuration change occurs in your AWS
resources.
2.AWS Config records and normalizes the
changes into a consistent format.
3.If you are using AWS Config rules, AWS
Config continuously evaluates your AWS
resource configurations for desired settings.
4.If a resource violates the conditions of a rule,
AWS Config flags the resource and the rule as
noncompliant.
5.When the compliance status of a resource
changes, AWS Config sends an alert to your
Amazon SNS topic.

661.  AWS CloudTrail is a monitoring service so it
also functions as a security detection
service.
 CloudTrail creates logs that give you specific
information on what occurred in your AWS
account by recording API calls.
 When an API call occurs, the following
information is recorded for the API caller:
– Its identity
– The time of the call
– Its source IP address

663. 1. Detect
2. Assess
3. Diagnose
4. Stabilize and recover
5. Close

664.  Detective is a paid AWS service that is designed to
simplify this investigation process.
 Detective automatically collects your AWS resources’
log data. Also, Detective can ingest massive
amounts of events from data sources such as:
– VPC flow logs
– AWS CloudTrail logs
– Amazon GuardDuty findings
 Detective then automatically uses statistical analysis,
machine learning, and graph theory to create a
unified, interactive view of your users, resources, and
the interactions between them for periods of time.
 You can use this unified view to see all the details
and context in one location.

665.  Administrator account
 Behavior graph
 Source data
 Entity
 Finding
 High-volume entity
 Investigation
 Member account
 Profile
 Profile panel
 Relationship
 Scope time

667.  CloudEndure Disaster Recovery is a paid
AWS service that is designed to help
organizations recover from IT disasters. IT
disasters include:
– Data center failures
– Server corruptions
– Cyber attacks
 CloudEndure Disaster Recovery works on
public regions, AWS Outposts, and the AWS
GovCloud (US).
Continued…

668.  Using CloudEndure, you can perform the
following types of disaster recoveries:
– On-premises to cloud
– On-premises to on-premises
– Cross-region
– Cross-cloud

670. Order the stages of an incident response.
1. Diagnose
2. Detect
3. Close
4. Assess
5. Stabilize and recover
Correct Order is: 2, 4, 1, 5, 3

671. Which of the following AWS detection
services provides a comprehensive view of
your security posture for all your AWS
accounts? Choose the best response.
A. GuardDuty
B. Security Hub
C. Inspector
D. AWS Config
E. Detective
B

672. Which of the following is a security
monitoring service that continuously scans
your AWS workloads for security issues?
Choose the best response.
A. GuardDuty
B. Detective
C. Amazon Macie
D. AWS Shield
A

673. Which of the following is an AWS automated
security assessment service? Choose the best
response.
A. GuardDuty
B. Security Hub
C. Inspector
D. AWS Shield
C

674. Your organization has specific requirements for
resources that must meet several regulatory
compliance standards. Which AWS service can
help you ensure your resource configurations
meet these standards? Choose the best
response.
A. Security Hub
B. Inspector
C. AWS Secrets Manager
D. AWS Config
D

675. Your organization is using GuardDuty. You keep
receiving alerts about a supposed security issue
from a specific user that you know is not an
issue. What can you do to stop receiving these
alerts? Select all that apply.
A. Create a suppression rule.
B. Remove the user from the Trusted IP list.
C. Add the user from the Trusted IP list.
D. Add the user to the Threat list.
E. Remove the detector from that region.
A and C

676. Your organization is using Amazon Inspector. You
want to inspect your AWS environment to
determine if it meets several organizational
security goals. Which of the following would help
you accomplish this task? Choose the best
response.
A. Create a finding based on the security goals.
B. Create a rules package based on the security
goals.
C. Create a detector based on the security
goals.
D. Install an Inspector agent.
B

677. Which AWS service can give you specific
information on what occurred in your AWS
account by recording API calls? Choose the
best response.
A. AWS Config
B. Inspector
C. AWS CloudTrail
D. CloudEndure
C

678. Your organization is creating a disaster
recovery plan for its cloud environment.
Which AWS service can help your
organization quickly recover if a disaster
occurs? Choose the best response.
A. AWS Config
B. Amazon Macie
C. Security Hub
D. CloudEndure
D

679. Which of the following are included on a
Detective behavior graph? Select all that
apply.
A. Findings
B. Targets
C. Entities
D. Relationships
A, C, and D

680. In this module, you'll learn how to:
 Describe the functionality AWS network access
control features, including network ACLs and
security groups
 Describe denial of service attacks and the
functionality of AWS Shield
 Describe the functionality and usage of AWS
Network Firewall, AWS Web Application
Firewall (WAF), and AWS Firewall Manager
 Describe the functionality and usage of AWS
Key Management Service (KMS), AWS Secrets
Manager, AWS Certificate Manager, and
Amazon Macie

681.  The risk of sending sensitive data over the
network is entirely a function of where the
data goes and who can receive it; in fact,
the same rule applies to the network’s risk
of malicious traffic.
 The switches and routers that direct traffic
on the network for performance and
connectivity are among the most powerful
tools for securing it.

682.  Access control lists (ACLs) are lists attached
to a resource, giving permissions or rules
about precisely who can access it.
 A network ACL specifies what types of traffic
are and aren’t allowed to pass through a
device like a router or a firewall.

683.  Network ACLs are stateless.
 A VPC automatically comes with a default
configurable network ACL.
 Custom network ACLs can be associated with a
subnet.
 Network ACLs have separate inbound and outbound
rules.
 VPC subnets must be associated with a network
ACL.
 One network ACL can be associated with multiple
subnets.
 A network ACL includes a numbered list of rules.
 There are quotas for the number of network ACLs
per VPC.

684.  Rule number
 Type
 Protocol
 Port range
 Source
 Destination
 Allow/Deny

685.  A security group is a collection of access
control rules that define traffic filters.
 You can use a security group to act as a
virtual firewall to filter inbound (ingress) or
outbound (egress) network traffic in an AWS
VPC.

686.  When you create a security group, you must give it a name
and a description.
 You can specify allow rules.
 You cannot specify deny rules.
 You can specify individual rules that cover inbound or
outbound traffic, or both.
 You can use security group rules to filter traffic based on
port numbers and protocols.
 In AWS, security groups are stateful—if a request is sent
from an EC2 instance, the response traffic for that request
is permitted to flow in or out regardless of inbound or
outbound security group rules.
 When creating a new security group, it does not have any
inbound rules until you add them.
Continued…

687.  When creating a new security group, it includes a
default outbound rule that allows all outbound traffic.
You can remove this rule and add outbound rules as
needed.
 There are quotas for the following items; the quota
number depends on your account:
– The number of rules that you can add to each security
group
– The number of security groups that you can create per VPC
– The number of security groups that you can associate with a
network interface
 Security groups are associated with network interfaces.
When you create a network interface, by default, it is
associated with the VPC’s default security group.
 You can only use a security group in the VPC that you
specified during the group’s creation.

688.  Source and destination: (Inbound rules only) This
includes the source of the traffic and the destination
port or port range. The source can be a single
IPv4/IPv6 address, an IPv4/IPv6 CIDR block, another
security group, or a prefix list ID.
 Destination: (Outbound rules only) This includes the
destination for the traffic and the destination port
or port range. The destination can be a single
IPv4/IPv6 address, an IPv4/IPv6 CIDR block, another
security group, or a prefix list ID.
 You can use any protocol that has a standard
protocol number.
 An optional description for the security group rule.

690.  Modern networks rely heavily on devices
and software designed primarily to secure
them.
 The most prominent and familiar of these
are the firewalls.

691.  Attacks on accessibility are commonly called denial-of-
service (DoS) attacks because their main effect is the
denial of network services to legitimate users.
 Distributed denial-of-service (DDoS) is an amplified DoS
which uses multiple attacking systems in multiple locations
to generate a traffic spike that will challenge even
powerful targets.

692.  The AWS Shield service helps to provide defense
against DDoS attacks. There are two levels of AWS
Shield: Standard and Advanced.
Feature Standard Advanced
Active traffic monitoring and always on detection  
Automatic attack protection  
Availability guarantee Region Application
Advanced DDoS attack protection 
Health-based detection 
Detection tuned to customer’s application 
Real-time metrics and alerts 
Post attack mitigation reports 
DDoS proactive event response support 

694.  A firewall is a service that grants server
access based on the originating IP address
of each request.
 When you configure a firewall, you create
firewall rules.
 You can configure firewall rules to grant or
deny access to the server based on
specified ranges of IP addresses, network
protocols, and port information.

695.  AWS Network Firewall is a managed, cloud-
based network security service that you can
use to protect your AWS VPCs.
 It’s a fully stateful firewall service with
limitless cloud scalability and built-in high
availability.

696.  Automated scaling and high availability
 Stateful firewall
 Web filtering
 Intrusion prevention
 Flow and alert logs
 Central management and visibility
 Rule customization and management
 Wide support and partner integrations

697.  Firewall
– A firewall is an AWS resource that provides traffic filtering logic
VPC subnets.
 Firewall policy
– A firewall policy sets rules and other settings for a firewall to use
when filtering a VPC’s incoming and outgoing traffic.
 Rule group
– A rule group sets the rules used to match against VPC traffic and
the actions to take when Network Firewall finds a corresponding
match. Network Firewall uses stateless and stateful rule group
types.
 Virtual private cloud (VPC)
– Your account’s dedicated virtual network.
 Internet gateway
– An internet gateway is a VPCs gateway that allows communication
between your VPC resources and the internet.
Continued…

698.  Subnet
– A subnet is a range of IP addresses in your VPC.
 Firewall subnet
– A firewall subnet is used by Network Firewall exclusively as a
firewall endpoint.
 Route table
– A route table contains a group of rules, called routes. These routes
determine where the Network Firewall directs the network traffic.
 Stateless rules
– A stateless rule provides the conditions for when a single network
traffic packet is inspected.
 Stateful rules
– A stateful rule provides the conditions for inspecting network
traffic packets.

699.  AWS WAF (Web Application Firewall) is a
firewall for web applications. You can use AWS
WAF to protect your web applications or APIs
against typical web exploits.
 You can create rules to filter any part of a web
request, such as HTTP headers, HTTP body, IP
addresses, or URI strings.
 AWS WAF provides pre-configured rules, called
Managed Rules for AWS WAF, that are
available in the AWS Marketplace.
 AWS WAF gives you almost real-time visibility
into your web traffic.

701. 1. Create a web access control list (web
ACL). You can create the web ACL using
the wizard in the AWS WAF console.
2. Select the AWS resources for which you
want AWS WAF to inspect web requests.
3. Add the rules and rule groups that you
want to use to filter web requests.
4. Specify the web ACL’s default action,
either allow or block.

702.  AWS Firewall Manager is a security
management service. It provides a cohesive
place to perform administration and
maintenance for several AWS security
services across multiple accounts.
 You can use Firewall Manager to setup:
– AWS WAF firewall rules
– AWS Network Firewall firewalls
– Amazon VPC security groups
– AWS Shield Advanced protections

704. To use AWS Firewall Manager, your account
must meet the following prerequisites:
 Your account must be a member of AWS
Organizations.
 Your account must be the AWS Firewall
Manager administrator.
 You must have AWS Config enabled for
your accounts and regions.
 The AWS Organizations management
account must enable RAM for all member
accounts in your organization.

706.  Data protection means securing a message or
data in a way that can only be accessed by
authorized individuals or groups.
 Non-authorized individuals or groups are less
likely to be able to access the message or data.
Or they might not be able to access it at all.
 Think of data protection as key and door. If you
have the key, you can unlock the door and
access the data. But if you don’t have the key,
then you are blocked from accessing the data.
 One of the main ways data protection happens
is by using encryption.

707.  Symmetric encryption
– Uses a single key to encrypt and decrypt data.
– Also known as secret-key or private key cryptography.
– Symmetric encryption is well-suited for bulk encryption
of large amounts of data for storage or transmission.
 Asymmetric encryption
– Uses two mathematically-related keys (a public key and
private key pair).
– Data encrypted with one key can only be decrypted
with the other.
– It is also known as public key cryptography.
– Asymmetric cryptography can be used to provide
authenticity as well as confidentiality.

708.  Data in motion
– Data in motion is the data that is actively
transporting from one location to another, such as
through a private network or across the internet.
 Data at rest
– When data is archived or stored, reasonably secure
encryption techniques should be utilized on the
data.
 Data in use
– This is data that is being shared, processed, or
viewed. This stage of the data lifecycle is less
mature than other data encryption techniques and
typically focuses on Information Rights
Management and Digital Rights Management
solutions.

709.  Client-side encryption
– Client-side encryption allows you to manage and store
keys on-premises or in another secure location.
– Client-side encryption is performed outside of AWS.
– You maintain full control over your encryption keys.
 Server-side encryption
– Most AWS services that store and manage your data
support server-side encryption.
– In these cases, the service also transparently encrypts
and decrypts your data for you.
– There are three server-side encryption models:
• Customer-managed CMKs (customer master keys)
• AWS-managed CMKs
• AWS-owned CMKs

710.  AWS Key Management Service (KMS) is a
centralized cloud service for managing keys
and defining policies consistently across
integrated AWS services and your own
applications.
 AWS KMS can help you to create and control
encryption keys used to encrypt your data.
Access to stored secrets and keys requires
proper authentication and authorization. AWS
KMS allows you to create and manage
customer master keys (CMKs).
 AWS KMS CMKs are protected by hardware
security modules (HSMs).

711.  Customer master keys (CMKs)
– Customer master keys are the primary resources in AWS
KMS. A customer master key (CMK) is a logical
representation of a master key.
 Data keys
– A data key is an encryption key that you can use to encrypt
data. You can use a data key to encrypt large amounts of
data as well as other data encryption keys. Data keys are
generated, encrypted, and decrypted using AWS KMS
CMKs. However, you must use and manage your data keys
outside of AWS KMS.
 Custom key stores
– A custom key store is an AWS KMS resource. A custom key
store is associated with hardware security modules (HSMs) in
a CloudHSM cluster that you own and manage.
 Key policy
– A key policy contains permissions that determine who can
use and manage a CMK.

714.  AWS Secrets Manager is a service you can use
to manage access to and securely store secrets.
 A secret is a set of credentials.
 Credentials commonly include a user name,
password, and connection details that you use
to access a secured service.
 AWS Secrets Manager stores your application
secrets in a centralized location where you can
manage and control their distribution to lower
the risk of unintended access.

716.  AWS Certificate Manager (ACM) is a service
you can use to provision, deploy and
manage your AWS resources’ public and
private Secure Sockets Layer/Transport
Layer Security (SSL/TLS) certificates.
 ACM certificates can secure:
– Single domain names
– Multiple domain names
– Wildcard domains
– Any combination of domain names

718.  Amazon Macie is a paid fully managed data
privacy and security service that helps with
these tasks.
 Macie uses pattern matching and machine
learning to find and protect your sensitive
data in your AWS cloud environment.
 Macie automatically provides a list of your
Amazon S3 buckets. The list includes which
buckets are publicly accessible,
unencrypted, or shared with other AWS
accounts.

722. Which of the following determines when a
network ACL security rule is processed?
Choose the best response.
A. Protocol
B. Rule number
C. Port range
D. Source
B

723. In AWS, security groups are stateless. True or
false?
A. True
B. False
B

724. One of your developers needs to set up an
SSL security certificate on a newly deployed
website. Which of the following AWS services
can be used to deploy the SSL server
certificate? Choose the best response.
A. AWS Config
B. AWS ACM
C. Route 53
D. Security Hub
B

725. Which of the following are good practices for
application security credentials? Select all that
apply.
A. Store them as secrets in Secret Manager.
B. Embed them in your application code.
C. Delete all access keys and use user names
and passwords instead.
D. Rotate them on a regular basis.
A and D

726. Which AWS service uses pattern matching
and machine learning to find and protect your
sensitive data? Choose the best response.
A. GuardDuty
B. Amazon Macie
C. Detective
D. AWS Shield
B

727. Which of the following are needed before using AWS
Firewall Manager? Select all that apply.
A. Your account must be a member of AWS
Organizations.
B. Your account cannot be a member of AWS
Organizations.
C. Your account must be the AWS Firewall Manager
administrator.
D. You must have AWS Config enabled for your
accounts and regions.
E. You must enable RAM for all member accounts in
your organization.
A, C, D, and E

728. Which of the following services can help
protect your web applications from SQL
injections and other vulnerabilities in your
application code? Choose the best response.
A. AWS Shield
B. AWS WAF
C. AWS Config
D. AWS Cognito
E. Security Hub
B

729. What service does AWS provide to help
protect against DDoS attacks? Choose the
best response.
A. AWS Shield
B. AWS WAF
C. AWS Config
D. AWS Cognito
E. Security Hub
A

730. An organization created an EC2 instance. An
application is installed on the instance that
users need to access through the internet
with HTTP. Which of the can you modify to
allow access? Select all that apply.
A. DDoS Protection settings
B. AWS Network Firewall
C. Security Hub
D. Security groups
B and D

731. Your organization wants to host an application in
AWS. The application connects to an RDS SQL
database, and you want to store the database
credentials in a secure location. Which of the
following services will fulfill this requirement?
Choose the best response.
A. AWS Managed AD
B. Secrets Manager
C. Certificate Manager
D. GuardDuty
B

732. You should now know how to:
 Describe cloud security fundamentals and
AWS security services
 Explain authentication and authorization for
the AWS cloud
 Describe AWS detection and incident
response services
 Describe AWS infrastructure and data
protection services

733. In this chapter, you'll learn how to:
 Describe AWS governance features,
including Identity and Access Management
(IAM), AWS policies, AWS CloudFormation,
and the AWS Cloud Adoption Framework
 Describe privacy and compliance resources,
such as the Amazon core tenets of Security,
Privacy, and Compliance, the purpose of the
Amazon Privacy Statement
 Describe AWS compliance features

734. In this module, you'll learn how to:
 Describe the functionality and use of Identity
and Access Management (IAM)
 Describe the functionality and usage of
resource locks
 Describe the functionality and use of AWS
policies
 Describe the functionality and usage of AWS
CloudFormation
 Describe the AWS Cloud Adoption Framework

735.  AWS access control solution is called
Identity and Access Management (IAM). You
can use IAM to manage:
– Who has access to AWS resources
– What those users can do with those resources
– What areas they have access to
 You can use IAM to provide granular control
over access management for your AWS
resources.
 Using IAM, you can grant users the specific
access they need to perform their jobs.

737.  Resources
– IAM resources include users, groups, roles, policies, and identity
providers. Similar to other AWS services, you can add, edit, and
remove resources from IAM.
 Identities
– Identities are IAM resource objects (users, groups, and roles) used
for identifying and grouping purposes. You can attach a policy to
any IAM identity.
 Principals
– A person or application that signs in as the AWS account root user,
an IAM user, or an IAM role to make requests for an action or
operation to AWS.
 Requests
– A principal uses the AWS Management Console, the AWS CLI, or
the AWS API to send a call for an action or operation to AWS.
Continued…

738.  Entities
– The IAM resource objects (IAM users and roles and federated
users) that AWS uses for authentication.
 Authentication
– A principal must be verified using credentials to send a request to
AWS.
 Authorization
– Authentication verifies who you are. To complete your request,
you must also be authorized (allowed) to perform the action or
operation in your request.
• Explicit deny
• Implicitly deny
 Actions or operations
– AWS approves requested actions or operations after AWS
authenticates and authorizes the request.

739.  IAM users
 IAM groups
 IAM roles
 IAM policies

740.  AWS service role
 AWS service role for an EC2 instance
 AWS service-linked role
 Role chaining
 Delegation
 Federation
 Federated user
 Trust policy
 Permissions policy
 Principal
 Cross-account access role

741.  Grant least privilege access
 Use AWS Organizations
 Enable identity federation
 Enable MFA
 Rotate credentials regularly
 Enable IAM Access Analyzer

744.  IAM policies are a governance feature that
allows you to create, assign, and manage
permissions.
 Kinds of policies
– AWS-managed policy—a standalone policy that is
created and administered by AWS.
– Customer-managed policy—a standalone policy
that you administer in your own AWS account.
– Inline policy—a policy that is embedded in an IAM
identity. An inline policy becomes part of the
identity. You can create an inline policy and embed
it in an identity at any time.

745.  Identity-based policies
 Resource-based policies
 Permissions boundary policies
 Organization SCPs
 Access control lists (ACLs)
 Session policies

746.  For some AWS services, it’s possible to grant
cross-account access to your resources.
 To do this, you attach a policy to the resource
that you want to share instead of using a role.
 Resource-based policies specify which principal
can access that resource.
 Cross-account access with a resource-based
policy has an advantage over cross-account
access with a role that the principal doesn’t
need to give up permissions to receive the
role.

747.  You can create and assign customer-
managed policies using the AWS
Management console, AWS CLI, or AWS API.

748.  Accessing a policy summary (services)
1. In the IAM console, click Policies.
2. In the list of policies, click a policy’s name.
3. On the policy’s Summary page, the Permissions tab lists
services associated with this policy and the access level,
affected resources, and request condition.
 Services summary (actions)
1. In the list of services, click a service’s name.
2. On the service’s Summary page, the Permissions tab lists
actions associated with this service and the affected
resources and request conditions.
 Action summary (resources)
1. In the list of actions, click an action’s name.
2. On the action’s Summary page, the Permissions tab lists
affected resources, regions, accounts, and request
conditions.

751.  AWS CloudFormation allows cloud architects
to set up a repeatable set of resources that
make up an AWS environment by treating
infrastructure as code.
 With AWS CloudFormation, cloud architects
and development teams can work together to
quickly build and deploy new environments.
 CloudFormation templates are useful for
organizations that need to adhere to strict
compliance or security regulations to meet
those requirements.

752.  Templates
– An AWS CloudFormation template is a YAML or
JSON formatted text file that describes your
resources, resource dependencies, and
configurations so you can launch a set of resources
together as a stack.
 Stacks
– In AWS CloudFormation, a stack is a collection of
AWS resources that you can manage as a single
item.
 Change sets
– AWS CloudFormation uses change sets to preview
how proposed modifications to a stack might
impact running resources.

753. 1. Code your infrastructure. Code your
infrastructure from a sample template or
from scratch using the CloudFormation
template language (either YAML or JSON
format).
2. Upload your template to an S3 bucket.
3. Use AWS CloudFormation to create a stack.
You can use the AWS CloudFormation
console, AWS CLI, or APIs to create your
stack from your template.
4. AWS CloudFormation provisions and
configures the stacks with the resources you
specified in your template.

755.  The AWS Cloud Adoption Framework is a
compilation of documentation, best practices,
implementation guides, and tools to help
organizations accelerate creating or expanding
their cloud presence.
 The framework includes both business and
technology strategies that your organization
can use to meet short-term and long-term
cloud objectives.
 You can access the Cloud Adoption Framework
by visiting:
https://aws.amazon.com/professional-
services/CAF/.

756.  Business
 People
 Governance
 Platform
 Security
 Operations

757. 1. Identify stakeholders in the organization
that are crucial for successful cloud
adoption.
2. Identify and examine cloud adoption
concerns or questions that the
stakeholders have.
3. Determine skills and processes that will
require modification to address the
concerns or questions.
4. Create a final action plan for modifying
those skills or processes.

759. Which of the following is an IAM identity in
an account that has specific permissions and
can be taken on by anyone who needs it?
Choose the best response.
A. IAM user
B. IAM role
C. IAM resource
D. AWS policy
E. An identity provider
B

760. Which of the following are included in a
request? Select all that apply.
A. Principle
B. Actions or operations
C. Identity provider
D. Environment data
E. Entity data
F. Resource data
G. Resources
A, B, D, F, and G

761. You plan to deploy several web apps where
users upload images to S3 buckets. You need
to control access to the buckets. Which of the
following should you use? Choose the best
response.
A. An IAM role
B. A resource lock
C. An identity-based policy
D. A resource-based policy
D

762. Your organization allows developers to provision
their own EC2 instances in AWS. You need to
ensure that developers only deploy approved
instance types on the corporate account. Which
of the following will meet this requirement?
Choose the best response.
A. A resource lock
B. An AWS policy
C. An IAM group
D. An AWS Blueprint
B

763. Within an account, an implicit deny in a
permissions boundary does not limit the
permissions granted to an IAM user by a
resource-based policy. True or false?
A. True
B. False
A

764. Which of the following cannot grant
permissions to entities within the same
account? Choose the best response.
A. Session policies
B. Organizations SCPs
C. Resource-based policies
D. Identity-based policies
E. ACLs
E

765. If you want to remove access for a developer
who has a role that allows them access to a
resource. Which of the following can you do?
Select all that apply.
A. Create a resource-based policy that blocks
their access.
B. Create an ACL policy.
C. Create a new role that denies them access
and apply it to them.
D. Remove the current role that allows them
access.
A and D

766. Your organization is going to lift and shift a
critical infrastructure with several environments
to AWS. The environments must meet strict
compliance rules. Which of the following will
allow your developers to quickly deploy
resources configured for compliance standards?
Choose the best response.
A. AWS Marketplace
B. AWS resource-based policies
C. AWS Blueprint templates
D. AWS CloudFormation templates
D

767. Your organization is considering moving its
entire infrastructure to AWS. You are the cloud
architect and need to work with various
departments and teams in your organization to
get everyone ready for the move to AWS. Which
of the following can you use to guide decision-
making in the organization? Choose the best
response.
A. AWS Migration Framework
B. AWS Cloud Adoption Framework
C. AWS Blueprint
D. AWS CloudFormation templates
B

768. Which of the following is useful for managing
modifications to critical resources before
implementing them? Choose the best
response.
A. Stacks
B. Resource change groups
C. Change sets
D. AWS CloudFormation templates
C

769. In this module, you'll learn how to:
 Describe the core tenets of security, privacy,
and compliance for cloud services
 Describe the purpose of the AWS Privacy
Notice and data privacy

770.  Privacy
– Amazon believes privacy is a fundamental right for everyone,
from individuals to enterprise-level organizations. They aim
to value your privacy and preserve the ability of their
customers to control their data.
 Security
– Amazon uses built-in automation and intelligence to help
protect against cyberthreats. Also, AWS helps you keep
customer data secure. AWS provides tools to accentuate
security and privacy throughout all phases of the
development process.
 Compliance
– Amazon respects local laws and regulations and provides
comprehensive coverage of compliance offerings. Because
compliance is a critical feature role for customers, AWS
conforms to global standards to enhance the trust
relationship.

771.  AWS privacy notice
– What kinds of personal data AWS processes
– How AWS processes this personal data
– What purposes this personal data is used
– You can access the most current version of the AWS privacy
statement at https://aws.amazon.com/privacy/
 Data privacy resources and FAQs
– AWS maintains an online repository of data privacy resources
and FAQs for AWS products and services available at
https://aws.amazon.com/compliance/data-privacy/
– You can also access information about AWS Service
capabilities for privacy considerations at
https://aws.amazon.com/compliance/data-privacy/service-
capabilities/
– AWS also has an online resource for the European Union’s
General Data Protection Regulation (GDPR) available at
https://aws.amazon.com/compliance/gdpr-center/

774. When your organization agrees to use AWS,
the Amazon privacy policy says that Amazon
can mine your data for advertising or
marketing purposes. True or false?
A. True
B. False
False

775. Where would you find information about how
you can opt-out and control your personal
information when using AWS? Choose the
best response.
A. The AWS privacy statement
B. The AWS trust center
C. Online Services Terms (OSTs)
D. Service Level Agreements (SLAs)
A

776. AWS maintains an online repository of data
privacy resources and FAQs for AWS products
and services. True or false?
A. True
B. False
True

777. AWS has an online resource for the European
Union’s General Data Protection Regulation
(GDPR). True or false?
A. True
B. False
True

778. Your organization is considering migrating its
local IT infrastructure to AWS. You need to read
Amazon’s policies regarding customer data
privacy in the AWS public cloud. Where should
you look for this information? Choose the best
response.
A. The AWS Privacy policy
B. The online repository of data privacy
resources and FAQs
C. AWS Privacy center
D. In the Service Level Agreements (SLAs)
B

779. In this module, you'll learn how to:
 Describe industry compliance terms such as
GDPR, ISO, and NIST
 Describe AWS compliance resources

780.  Compliance with regulations and standards means
you need to understand your organization’s
responsibilities for governing resources and how
they are used.
 How compliant is the cloud provider at handling
sensitive data?
 How compliant are the cloud provider’s services?
 What terms are part of the cloud provider’s privacy
statement?
 Is it possible to deploy cloud-based scenario
solutions that have accreditation or compliance
requirements?
 You can find out the various compliance offerings
and what regions they are available at
https://aws.amazon.com/compliance/resources/.

781.  CIS Benchmark
 Cloud Security Alliance (CSA) STAR
Certification
 Service Organization Controls (SOC) Type 2
 International Organization for
Standardization (ISO)/International
Electrotechnical Commission (IEC) 27018

782.  Criminal Justice Information Services (CJIS)
 National Institute of Standards and
Technology (NIST)

783.  General Data Protection Regulation (GDPR)
 EU Model Clauses
 Multi-Tier Cloud Security (MTCS) Singapore
 UK Government G-Cloud

784.  Health Insurance Portability and
Accountability Act (HIPAA)
 Payment Card Industry Data Security
Standard (PCI DSS)

786.  AWS Artifact
 Customer Compliance Center

787.  AWS Artifact Reports
– AWS Artifact Reports provide compliance
reports from third-party auditors.
– These auditors have tested and verified that
AWS is compliant with a collection of industry,
regional, and global-specific security
regulations and standards.
 AWS Artifact Agreements
– In AWS Artifact Agreements, you can review,
accept, and manage agreements for an
individual account and for all your accounts in
AWS Organizations.

788.  The Customer Compliance Center contains
resources to help you learn more about
AWS compliance.
 You can access the Customer Compliance
Center by visiting
https://aws.amazon.com/compliance/customer-center/
 You can access the compliance resources
website at
https://aws.amazon.com/compliance/resources/

789.  AWS Compliance Solutions Guide is a repository of frequently
used resources and processes needed to perform your
compliance responsibilities on AWS
 The Services in Scope webpage provides details about which
services are currently in scope and which are in progress. You
can view this page at
https://aws.amazon.com/compliance/services-in-scope/

792. Which of the following has Amazon adopted that
covers the processing of personal information by
cloud service providers? Choose the best
response.
A. Cloud Security Alliance (CSA) STAR
Certification
B. The NIST Cybersecurity Framework (CSF)
C. ISO/IEC 27018
D. General Data Protection Regulation (GDPR)
C

793. If an organization has customers in the EU but
their headquarters is located outside the EU,
they don’t need to worry about the GDPR.
True or false?
A. True
B. False
False

794. Amazon’s PCI DSS compliance status
automatically translates to PCI DSS validation
for the services that customers build or host
on the AWS platform. True or false?
A. True
B. False
False

795. When your organization completes the
actions within an assessment, you will be in
compliance with the associated standard,
regulation, or law. True or false?
A. True
B. False
True

796. Which of the following sites will show the
status of AWS services for the assurance
programs? Choose the best response.
A. AWS Services in Scope
B. AWS Artifact Records
C. AWS Artifact Agreements
D. Customer Compliance Center
A

797. If an auditor requires a download of a
compliance report, where would you find it?
Choose the best response.
A. AWS Artifact Agreements
B. AWS Artifact Reports
C. Customer Compliance Center
D. AWS Services in Scope
B

798. Which tasks can you complete in AWS Artifact?
Select all that apply.
A. Access AWS compliance reports on-demand.
B. Set permissions for accounts by configuring
service control policies (SCPs).
C. Create users to enable people and
applications to interact with AWS services
and resources.
D. Consolidate and manage multiple AWS
accounts within a central location.
E. Review, accept, and manage agreements
with AWS.
A and E

799. You should now know how to:
 Describe AWS governance features,
including Identity and Access Management
(IAM), AWS policies, AWS CloudFormation,
and the AWS Cloud Adoption Framework
 Describe privacy and compliance resources,
such as the Amazon core tenets of Security,
Privacy, and Compliance, the purpose of the
Amazon Privacy Statement
 Describe AWS compliance features